CVE-2026-34056

HIGH

OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data

Title source: cna

Description

OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available.

References (2)

[X_Refsource_Confirm] https://github.com/openemr/openemr/security/advisories/GHSA-6qg7-6jf3-xrfh

[X_Refsource_Misc] https://github.com/openemr/openemr/releases/tag/v8_0_0_3

Scores

CVSS v3 7.7

EPSS 0.0002

EPSS Percentile 6.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-425

Status published

Products (2)

open-emr/openemr < 8.0.0.3

openemr/openemr <= 8.0.0.3

Published Mar 26, 2026

Tracked Since Mar 26, 2026