Main Vulnerability Database Vulnerabilities #VU127304

Missing Authorization in OpenEMR - CVE-2026-32126

Published: April 23, 2026

Vulnerability identifier: #VU127304

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32126

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to modify or delete clinical rules and plans.

The vulnerability exists due to improper access control in ControllerRouter::route() in the Clinical Decision Rules router when handling direct requests to CDR controllers. A remote user can send crafted requests to admin-only CDR actions to modify or delete clinical rules and plans.

The issue affects controllers that do not perform their own ACL or CSRF checks, and direct URL access is not blocked for authenticated non-admin users.

How to mitigate CVE-2026-32126

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-752v-x6m4-6cf8

Missing Authorization in OpenEMR - CVE-2026-32126

Detailed vulnerability description

How to mitigate CVE-2026-32126

Sources

Please verify you're human