CVE-2026-34051

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/81c097f7852fc60d45adf6c13baa86cd0a1b400b	Patch
https://github.com/openemr/openemr/releases/tag/v8_0_0_3	Product
https://github.com/openemr/openemr/security/advisories/GHSA-54m8-wpg9-9665	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-26 00:16

Updated : 2026-03-26 16:17

NVD link : CVE-2026-34051

Mitre link : CVE-2026-34051

CVE.ORG link : CVE-2026-34051

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-285

Improper Authorization

CWE-425

Direct Request ('Forced Browsing')

{"id": "CVE-2026-34051", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T00:16:40.850", "references": [{"url": "https://github.com/openemr/openemr/commit/81c097f7852fc60d45adf6c13baa86cd0a1b400b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-54m8-wpg9-9665", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-425"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto de registros m\u00e9dicos electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Las versiones anteriores a la 8.0.0.3 tienen un control de acceso inadecuado en la funcionalidad de Importaci\u00f3n/Exportaci\u00f3n, permitiendo a usuarios no autorizados realizar acciones de importaci\u00f3n y exportaci\u00f3n mediante la manipulaci\u00f3n directa de solicitudes a pesar de las restricciones de la interfaz de usuario. Esto puede llevar a un acceso no autorizado a datos, extracci\u00f3n masiva de datos y manipulaci\u00f3n de datos del sistema. La versi\u00f3n 8.0.0.3 contiene una soluci\u00f3n."}], "lastModified": "2026-03-26T16:17:42.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}