Home / Vulnerability Intelligence / CVE-2026-34053

CVE-2026-34053 - Vulnerability Analysis

HighCVSS: 7.1

Last Updated: March 26, 2026

OpenEMR - Broken Access Control

Published: March 26, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0.3 contains a broken access control vulnerability caused by missing authorization in the AJAX deletion endpoint interface/forms/procedure_order/handle_deletions.php, letting authenticated users delete procedure orders, answers, and specimens of any patient.

Severity & Score

Severity: High

CVSS Score: 7.1

Impact

Authenticated users can irreversibly delete critical patient data, leading to data loss and disruption of medical records.

Mitigation

Update to version 8.0.0.3 or later.

References

https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34053
Severity: High
CVSS Score: 7.1
Type: broken_access_control
Status: confirmed

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L