CVE-2026-32126
Received Received - Intake
Authorization Bypass in OpenEMR CDR Controllers Allows Admin Actions

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers β€” alerts, ajax, edit, add, detail, browse β€” accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations β€” all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32126
EUVD
EUVD-2026-11399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32126 is a high-severity authorization bypass vulnerability in OpenEMR versions prior to 8.0.0.1. It is caused by an inverted boolean condition in the ControllerRouter::route() method, which incorrectly enforces admin/super access control checks only on certain controllers ('review' and 'log') that have their own internal authorization, while skipping these checks on other Clinical Decision Rules (CDR) controllers such as alerts, ajax, edit, add, detail, and browse."}, {'type': 'paragraph', 'content': 'As a result, any authenticated user, regardless of their role, can access and perform administrative actions on these unprotected CDR controllers. This includes suppressing clinical decision support alerts system-wide, deleting or modifying clinical plans, and editing rule configurationsβ€”all operations that should require administrator privileges.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the global admin/super ACL check was removed from header.php and replaced with a flawed ControllerRouter implementation. Although the OpenEMR user interface hides these pages from non-admin users, direct URL access is not blocked, allowing unauthorized actions via crafted requests.'}, {'type': 'paragraph', 'content': 'This issue is fixed in OpenEMR version 8.0.0.1.'}] [1]

Impact Analysis

This vulnerability allows any authenticated user to perform privileged administrative operations on the Clinical Decision Rules subsystem of OpenEMR, which can have serious impacts including:

  • Suppressing clinical decision support alerts system-wide by modifying alert flags, potentially causing important clinical warnings to be missed.
  • Deleting or modifying clinical plans and associated rules, which can disrupt patient care plans and clinical workflows.
  • Editing rule configurations that govern clinical decision support, potentially leading to incorrect or unsafe clinical recommendations.

These unauthorized actions risk patient safety by allowing silent suppression of alerts and unauthorized changes to clinical data, undermining the integrity of the electronic health record system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access or perform administrative actions on Clinical Decision Rules (CDR) controllers such as alerts, ajax, edit, add, detail, and browse using an authenticated non-admin user account.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking if non-admin users can suppress clinical decision support alerts or delete/modify clinical plans by sending crafted HTTP requests to exposed endpoints.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send POST requests to endpoints like deletePlan, togglePlanStatus, or commitChanges to see if these actions succeed without admin privileges.'}, {'type': 'list_item', 'content': 'Example command to test alert suppression (replace URL and parameters accordingly):'}, {'type': 'paragraph', 'content': "curl -X POST -b cookies.txt -d 'active_alert_flag=0&passive_alert_flag=0&patient_reminder_flag=0' https://your-openemr-instance/clinical_rules/ajax_endpoint"}, {'type': 'list_item', 'content': 'Example command to test clinical plan deletion:'}, {'type': 'paragraph', 'content': 'curl -X GET -b cookies.txt https://your-openemr-instance/clinical_rules/deletePlan?plan_id=123'}, {'type': 'paragraph', 'content': 'If these requests succeed for a non-admin user, the system is vulnerable.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.1 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the affected Clinical Decision Rules controllers (alerts, ajax, edit, add, detail, browse) to only trusted administrator accounts.

Additionally, monitor and audit logs for any unauthorized access attempts to these endpoints.

Consider implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized requests to these sensitive endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart