CVE-2026-34055

High

Published: 26 March 2026

Published

26 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 2.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34055 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to patient notes, directly preventing unauthorized updates and deletes via unverified note IDs.

SI-10 Information Input Validation good match

prevent

Validates user-supplied note IDs to ensure they belong to patients the user is authorized to access, blocking IDOR exploitation.

AC-16 Security and Privacy Attributes partial match

prevent

Implements security attributes like patient ownership on notes to support enforcement of access controls against unauthorized manipulation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213 Data from Information Repositories Collection

Adversaries may leverage information repositories to mine valuable information.

attack.mitre.org →

T1565 Data Manipulation Impact

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

IDOR in public-facing web app (OpenEMR) directly enables network exploitation (T1190) by authenticated low-priv users to access/modify unauthorized patient data (T1213), achieving horizontal privilege escalation (T1068) via stored data manipulation (T1565).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perform updates and deletes using `WHERE id = ?` without verifying that the note…

belongs to a patient the user is authorized to access. Multiple web UI callers pass user-controlled note IDs directly to these functions. This is the same class of vulnerability as CVE-2026-25745 (REST API IDOR), but affects the web UI code paths. Version 8.0.0.3 patches the issue.

Deeper analysisAI

CVE-2026-34055 is an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639) in OpenEMR, a free and open-source electronic health records and medical practice management application. Versions prior to 8.0.0.3 are affected, specifically the legacy patient notes functions in `library/pnotes.inc.php`. These functions perform SQL updates and deletes using a `WHERE id = ?` clause without verifying that the targeted note belongs to a patient the user is authorized to access. Multiple web UI callers pass user-controlled note IDs directly to these functions, enabling unauthorized manipulation. This mirrors the IDOR issue in CVE-2026-25745, which affected REST API endpoints, but targets web UI code paths instead.

The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating exploitation over the network by low-privileged authenticated users with low complexity and no user interaction required. Attackers can supply arbitrary note IDs to update or delete sensitive patient notes belonging to other users or patients, potentially exposing or altering confidential medical data and compromising record integrity.

OpenEMR version 8.0.0.3 addresses the issue with a targeted patch. Security advisories recommend immediate upgrades to this version or later. Key resources include the patching commit at https://github.com/openemr/openemr/commit/214c9b4585a6f1c8c22750172d47f0e258fec0bf, the release notes at https://github.com/openemr/openemr/releases/tag/v8_0_0_3, and the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-8gj5-r8vm-mghq.

Details

CWE(s): CWE-639

Affected Products

open-emr

openemr

≤ 8.0.0.3

CVEs Like This One

CVE-2026-25147Same product: Open-Emr Openemr

CVE-2026-25927Same product: Open-Emr Openemr

CVE-2026-32126Same product: Open-Emr Openemr

CVE-2026-24908Same product: Open-Emr Openemr

CVE-2026-25131Same product: Open-Emr Openemr

CVE-2026-25164Same product: Open-Emr Openemr

CVE-2026-33302Same product: Open-Emr Openemr

CVE-2026-33914Same product: Open-Emr Openemr

CVE-2026-32127Same product: Open-Emr Openemr

CVE-2026-24898Same product: Open-Emr Openemr

References

https://github.com/openemr/openemr/commit/214c9b4585a6f1c8c22750172d47f0e258fec0bf
Patch · security-advisories@github.com
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
Product · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-8gj5-r8vm-mghq
Vendor Advisory · security-advisories@github.com