CVE-2026-34053
Published: 26 March 2026
Summary
CVE-2026-34053 is a high-severity Missing Authorization (CWE-862) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-12 (Audit Record Generation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates enforcement of approved role-based authorizations for logical access to resources, directly addressing the missing authorization checks in the OpenEMR deletion endpoint.
Restricts privileges to least necessary for roles, preventing any authenticated user from performing unauthorized deletions on other patients' procedure orders and specimens.
Requires audit record generation for security-relevant events like deletions, enabling detection and review of suspicious unauthorized activity as advised in the security advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in public-facing web endpoint directly enables remote exploitation (T1190) leading to unauthorized deletion of stored application data (T1565.001).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers,…
more
and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.
Deeper analysisAI
CVE-2026-34053 is a missing authorization vulnerability (CWE-862) in OpenEMR, a free and open source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.3 and resides in the AJAX deletion endpoint at `interface/forms/procedure_order/handle_deletions.php`, which lacks proper role-based access controls. This allows unauthorized deletion actions across the system, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), highlighting high integrity impact and low availability disruption.
Any authenticated user, irrespective of their role, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to irreversibly delete procedure orders, associated answers, and specimens for any patient in the OpenEMR instance, potentially compromising critical medical data integrity without affecting confidentiality.
The OpenEMR security advisory (GHSA-3vvq-pfq6-pw98) and release notes for version 8.0.0.3 detail the patch, which adds necessary authorization checks to the affected endpoint. Practitioners should upgrade to OpenEMR 8.0.0.3 or later, as referenced in the fix commit (7a16b731af7d34ffd92155fe2a5692fa1a67858e), and review access logs for suspicious deletion activity in unpatched systems.
Details
- CWE(s)