CVE-2026-32123
Published: 11 March 2026
Summary
CVE-2026-32123 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations for sensitive data access, addressing the broken sensitivity checks that failed to restrict group encounters.
Requires identification, reporting, and correction of flaws like the incorrect table consultation for sensitivity, with timely patching to 8.0.0.1 preventing exploitation.
Ensures security attributes like sensitivity are properly supported and applied across all encounter types, mitigating failure to consult the correct table for group encounters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes an authorization bypass in a network-accessible web application (OpenEMR) that directly enables exploitation of a public-facing app to obtain unauthorized database contents (patient encounter data).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter.…
more
As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.
Deeper analysisAI
CVE-2026-32123 is a vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. In versions prior to 8.0.0.1, sensitivity checks for group encounters fail due to the code incorrectly consulting the form_encounter table for sensitivity information, while group encounters actually store this data in the form_groups_encounter table. This results in sensitivity restrictions never being applied to group encounters, allowing unauthorized access to sensitive patient data such as mental health records. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
An attacker with low-privilege authenticated access to the OpenEMR instance can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation involves accessing group encounters that should be restricted based on sensitivity settings, leading to unauthorized disclosure of high-impact confidential patient information across the affected scope due to the changed scope (S:C) vector.
The OpenEMR GitHub security advisory (GHSA-j4mm-wg7q-v57q) confirms the vulnerability and states that it is fixed in version 8.0.0.1, recommending that users upgrade to this patched release to restore proper sensitivity enforcement for group encounters.
Details
- CWE(s)