CVE-2026-32123
Improper Access Control in OpenEMR Group Encounters Disclosure
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32123 is a high-severity vulnerability in OpenEMR versions prior to 8.0.0.1 that involves improper enforcement of sensitivity access controls for group therapy encounters.
The vulnerability occurs because the software only checks the sensitivity level in the form_encounter table, while group encounters store their sensitivity data in a different table called form_groups_encounter.
As a result, sensitivity restrictions meant to protect sensitive group encounter data, such as mental health information, are not applied correctly, allowing unauthorized users to view this sensitive information.
The issue lies in the method responsible for retrieving sensitivity information, which fails to check the correct table for group encounters, leading to incorrect authorization decisions.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of protected health information (PHI) related to group therapy and other sensitive encounters.
Users who should be restricted from viewing sensitive data, such as mental health records, may gain access to this information due to the broken sensitivity checks.
The impact is primarily on confidentiality, as sensitive patient data can be exposed to users without the necessary permissions.
The vulnerability has a network attack vector, low attack complexity, requires low privileges, and no user interaction, making it relatively easy for an attacker with some access to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying whether users without appropriate sensitivity permissions can access sensitive group encounter data in OpenEMR versions prior to 8.0.0.1.
A practical detection method involves configuring a group encounter with a restricted sensitivity level, then logging in as a user lacking permission for that sensitivity and attempting to access the sensitive encounter data. If access is granted, the system is vulnerable.
From a technical perspective, reviewing the source code, particularly the method responsible for retrieving sensitivity (e.g., getSensitivity() in src/Services/EncounterService.php), can help detect if the sensitivity check only queries the form_encounter table and ignores form_groups_encounter.
There are no specific network or system commands provided in the available resources to detect this vulnerability automatically.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.1 or later, where the sensitivity check logic has been corrected to properly enforce access control for group encounters.
Until the upgrade can be applied, restrict access to group encounter data for users who should not have permission to view sensitive information, as a temporary workaround.
Review and audit user permissions related to sensitivity levels to ensure that unauthorized users do not have access to sensitive group encounter data.