Direct Request ('Forced Browsing') in OpenEMR - CVE-2026-34051

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU127347

Direct Request ('Forced Browsing') in OpenEMR - CVE-2026-34051

Published: April 23, 2026


Vulnerability identifier: #VU127347
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34051
CWE-ID: CWE-425
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenEMR
Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify system data.

The vulnerability exists due to improper authorization in the import/export functionality when handling direct requests to restricted import and export actions. A remote user can send a direct request to perform unauthorized import or export operations to disclose sensitive information and modify system data.

UI restrictions alone do not prevent access to the functionality.


How to mitigate CVE-2026-34051

Install security update from vendor's website.

Sources