LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-32120

CVE-2026-32120 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: March 26, 2026

OpenEMR - Broken Access Control

Published: March 25, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0.3 contains an Insecure Direct Object Reference caused by lack of ownership verification in fee sheet save logic, letting authenticated users with fee sheet ACL access read, modify, or delete arbitrary patient drug_sales records, exploit requires fee sheet ACL access.

Severity & Score

Severity: Medium
CVSS Score: 6.5

Impact

Authenticated users with fee sheet ACL access can read, modify, or delete arbitrary patient drug_sales records, risking data integrity and confidentiality.

Mitigation

Update to version 8.0.0.3 or later.

References

Related Resources

Details

CVE ID
CVE-2026-32120
Severity
Medium
CVSS Score
6.5
Type
broken_access_control
Status
confirmed

CWE

  • CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N