CVE-2026-34055
Received Received - Intake
IDOR Vulnerability in OpenEMR Patient Notes Allows Unauthorized Access

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perform updates and deletes using `WHERE id = ?` without verifying that the note belongs to a patient the user is authorized to access. Multiple web UI callers pass user-controlled note IDs directly to these functions. This is the same class of vulnerability as CVE-2026-25745 (REST API IDOR), but affects the web UI code paths. Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access, modification, and deletion of patient notes by authenticated users who should not have access to those notes. This results in a high confidentiality and integrity impact on sensitive patient data.

Such unauthorized access and modification of protected health information (PHI) can lead to non-compliance with regulations like HIPAA, which mandates strict controls on access to patient data to ensure confidentiality and integrity.

Similarly, under GDPR, improper access and processing of personal health data without proper authorization violates data protection principles, potentially leading to breaches of data privacy and security requirements.

Therefore, this vulnerability poses a significant risk to compliance with common healthcare and data protection standards by enabling unauthorized disclosure and alteration of sensitive patient information.

Executive Summary

CVE-2026-34055 is an Insecure Direct Object Reference (IDOR) vulnerability in the OpenEMR electronic health records system, specifically in the legacy patient notes functionality within the web UI code paths.

The vulnerability exists because several functions in the file `library/pnotes.inc.php` perform update and delete operations on patient notes using SQL queries with `WHERE id = ?` clauses without verifying that the note belongs to a patient the authenticated user is authorized to access.

This lack of proper authorization checks allows an attacker with valid credentials and patient/notes access permissions to read, modify, delete, or mark as inactive notes belonging to other patients.

Multiple web UI components pass user-controlled note IDs directly to these vulnerable functions without adequate validation, enabling unauthorized access and modification.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access and modification of patient notes by authenticated users who should not have access to those notes.

  • Read notes of other patients via the edit flow.
  • Modify notes of other patients.
  • Delete notes of other patients.
  • Mark notes as done or inactive for other patients.

The vulnerability requires only low privileges (an authenticated user with notes access) and has a high impact on confidentiality and integrity of patient data, potentially leading to data breaches and loss of data trustworthiness.

Detection Guidance

This vulnerability involves unauthorized access and modification of patient notes through the web UI by exploiting insufficient authorization checks on note IDs. Detection involves monitoring for unusual or unauthorized access patterns to patient notes, especially update or delete operations performed by users on notes that do not belong to them.

Since the vulnerability requires authenticated access with patient notes permissions, detection can include auditing logs for note modification or deletion events where the acting user is not the owner or authorized patient.

Specific commands are not provided in the available resources. However, general approaches include:

  • Reviewing application audit logs for patient note updates or deletions by users on notes outside their authorized patients.
  • Using web server or application logs to identify HTTP requests to endpoints such as `pnotes_full.php`, `pnotes_full_add.php`, `pnotes_fragment.php`, and `messages.php` with suspicious or unexpected note ID parameters.
  • Employing network monitoring tools to detect abnormal API or UI calls that manipulate patient notes with IDs not matching the authenticated user's patients.
Mitigation Strategies

The primary mitigation is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched by enforcing patient ownership checks on all patient note operations.

If immediate upgrade is not possible, consider the following steps:

  • Restrict access to patient notes functionality to only fully trusted users with strict ACLs.
  • Monitor and audit all patient note update, delete, and status change operations for unauthorized activity.
  • Implement additional access control checks at the application or network level to prevent users from manipulating note IDs that do not belong to their authorized patients.
  • Review and harden session management and authentication mechanisms to reduce risk of credential misuse.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart