CVE-2026-32122

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.1

Description OpenEMR is an electronic health records and medical practice management application. The Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata, including claim IDs, payer information, and transmission logs. This endpoint does not enforce the same Access Control List (ACL) as the main billing/claims workflow, allowing authenticated users without appropriate billing permissions to access sensitive data. The vulnerable API endpoint is an AJAX endpoint used by the Claim File Tracker feature. The issue arises because the endpoint does not properly validate user permissions before returning billing claim metadata. The vulnerable parameter is not explicitly mentioned.

Recommendations Update OpenEMR to version 8.0.0.1 or later.