Cyber Resilience

CVE-2026-34053

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0042 33.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34053 is a high-severity Missing Authorization (CWE-862) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-12 (Audit Record Generation).

Deeper analysis

CVE-2026-34053 is a missing authorization vulnerability (CWE-862) in OpenEMR, a free and open source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.3 and resides in the AJAX deletion endpoint at `interface/forms/procedure_order/handle_deletions.php`, which lacks proper role-based access controls. This allows unauthorized deletion actions across the system, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), highlighting high integrity impact and low availability disruption.

Any authenticated user, irrespective of their role, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to irreversibly delete procedure orders, associated answers, and specimens for any patient in the OpenEMR instance, potentially compromising critical medical data integrity without affecting confidentiality.

The OpenEMR security advisory (GHSA-3vvq-pfq6-pw98) and release notes for version 8.0.0.3 detail the patch, which adds necessary authorization checks to the affected endpoint. Practitioners should upgrade to OpenEMR 8.0.0.3 or later, as referenced in the fix commit (7a16b731af7d34ffd92155fe2a5692fa1a67858e), and review access logs for suspicious deletion activity in unpatched systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers,…

more

and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authorization in public-facing web endpoint directly enables remote exploitation (T1190) leading to unauthorized deletion of stored application data (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25131Same product: Open-Emr Openemr
CVE-2026-25164Same product: Open-Emr Openemr
CVE-2026-32126Same product: Open-Emr Openemr
CVE-2026-33918Same product: Open-Emr Openemr
CVE-2026-24890Same product: Open-Emr Openemr
CVE-2026-25746Same product: Open-Emr Openemr
CVE-2026-33914Same product: Open-Emr Openemr
CVE-2026-33917Same product: Open-Emr Openemr
CVE-2026-24848Same product: Open-Emr Openemr
CVE-2026-32127Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved role-based authorizations for logical access to resources, directly addressing the missing authorization checks in the OpenEMR deletion endpoint.

prevent

Restricts privileges to least necessary for roles, preventing any authenticated user from performing unauthorized deletions on other patients' procedure orders and specimens.

detect

Requires audit record generation for security-relevant events like deletions, enabling detection and review of suspicious unauthorized activity as advised in the security advisory.

References