CVE-2026-32120 is a medium-severity vulnerability affecting OpenEMR, a widely used open-source electronic health records and medical practice management application. This vulnerability allows any authenticated user with fee sheet ACL access to delete, modify, or read drug_sales records belonging to arbitrary patients. The flaw arises from an Insecure Direct Object Reference (IDOR) in the fee sheet product save logic, specifically in the library/FeeSheet.class.php file. By manipulating the hidden prod[][sale_id] form field, attackers can exploit this vulnerability without adequate verification of record ownership.
The vulnerability was published on March 25, 2026, and has since been analyzed. It has a CVSS score of 6.5, indicating a medium severity level. The attack vector is network-based, with low attack complexity and low privileges required for exploitation. Notably, the vulnerability impacts the integrity of patient records, allowing unauthorized modifications, but does not affect confidentiality or availability.
Organizations using OpenEMR should prioritize patching to version 8.0.0.3, which addresses this vulnerability. Failure to do so may result in significant risks, including unauthorized access to sensitive patient data and potential compliance violations.
Currently, there are no known exploits or proofs of concept publicly available for this vulnerability, but its presence in a widely used system necessitates immediate remediation efforts.
Vulnerability Details
OpenEMR version prior to 8.0.0.3 contains an IDOR vulnerability affecting the fee sheet product save logic. The save() method incorrectly utilizes user-supplied sale_id in multiple SQL queries without validating ownership. The vulnerability is classified under CWE-639. The official CVSS score is 6.5, reflecting medium severity due to the potential for significant integrity impact.
Technical Analysis
The root cause of CVE-2026-32120 lies in the save logic of the fee sheet product, specifically in how it processes the sale_id. The method does not verify if the supplied sale_id corresponds to the current patient and encounter, allowing unauthorized users to manipulate records. The attack vector is network-based, requiring low complexity and privileges, with no user interaction needed. The vulnerability poses a high integrity impact, as it allows modification of sensitive patient records.
Risk & Impact Analysis
Risk to organizations includes unauthorized access to and manipulation of patient records, leading to potential legal and compliance issues. Given that OpenEMR is used in healthcare settings, the vulnerability can have serious implications for patient privacy and data security. Organizations should assess their exposure based on how OpenEMR is deployed and should patch systems in line with their security policies.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of OpenEMR prior to 8.0.0.3 are affected by this vulnerability. Organizations using earlier versions should upgrade to the patched version to mitigate risks associated with this vulnerability.
Mitigation & Remediation
Organizations should prioritize patching OpenEMR to version 8.0.0.3 or later. In addition to upgrading, organizations can implement access controls to limit user permissions based on roles, thereby minimizing the impact of such vulnerabilities. Regular security assessments, including penetration testing, can help identify and remediate potential vulnerabilities before they are exploited.
Detection Guidance
Monitoring logs for unauthorized access attempts on patient records can help detect exploitation attempts. Behavioral anomalies, such as sudden changes in patient record access patterns, should be investigated. Network signatures indicating abnormal SQL queries may also serve as indicators of potential exploit activity.
AppSecure Threat Intelligence Insight
The presence of CVE-2026-32120 highlights the critical need for secure coding practices in web applications, particularly those handling sensitive data like health records. This vulnerability demonstrates a common flaw in direct object references, and organizations should take this opportunity to refine their application security posture. For further guidance, security teams can refer to resources on IDOR vulnerabilities and consider implementing comprehensive security audits to mitigate similar risks.
Additionally, organizations should stay informed about emerging threats and trends in the cybersecurity landscape. Engaging with educational resources and industry standards will aid in strengthening defenses against vulnerabilities like CVE-2026-32120.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)