Perceptive Security
SOC/SIEM Consultancy
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes func…
Published:
25 March 2026 at 23:00:00
Alert date:
26 March 2026 at 01:02:19
Source:
nvd.nist.gov
Web Technologies, Enterprise Applications
OpenEMR, a free and open source electronic health records application, contains an Insecure Direct Object Reference (IDOR) vulnerability in its legacy patient notes functions. The vulnerability exists in library/pnotes.inc.php where updates and deletes are performed using WHERE id = ? without verifying that the note belongs to a patient the user is authorized to access. Multiple web UI callers pass user-controlled note IDs directly to these functions. This is similar to CVE-2026-25745 but affects web UI code paths instead of REST API. The issue affects versions prior to 8.0.0.3 and has been patched in version 8.0.0.3.
Technical details
Mitigation steps:
Affected products:
OpenEMR
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-34055
https://github.com/openemr/openemr/commit/214c9b4585a6f1c8c22750172d47f0e258fec0bf
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
https://github.com/openemr/openemr/security/advisories/GHSA-8gj5-r8vm-mghq
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.