CVE-2026-32238

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/7bc7bd077a624e205daed17658de41af6070ef73	Patch
https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86	Exploit Mitigation Vendor Advisory
https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 20:16

Updated : 2026-03-20 19:16

NVD link : CVE-2026-32238

Mitre link : CVE-2026-32238

CVE.ORG link : CVE-2026-32238

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-32238", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2026-03-19T20:16:14.057", "references": [{"url": "https://github.com/openemr/openemr/commit/7bc7bd077a624e205daed17658de41af6070ef73", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n de c\u00f3digo abierto y gratuita para la gesti\u00f3n de registros m\u00e9dicos electr\u00f3nicos y la pr\u00e1ctica m\u00e9dica. Las versiones anteriores a la 8.0.0.2 contienen una vulnerabilidad de inyecci\u00f3n de comandos en la funcionalidad de copia de seguridad que puede ser explotada por atacantes autenticados. La vulnerabilidad existe debido a una validaci\u00f3n de entrada insuficiente en la funcionalidad de copia de seguridad. La versi\u00f3n 8.0.0.2 soluciona el problema."}], "lastModified": "2026-03-20T19:16:15.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34", "versionEndExcluding": "8.0.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}