CVE-2026-32126

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.1

Description OpenEMR is an electronic health records and medical practice management application. An incorrect boolean condition within the ControllerRouter::route() function results in the administrator/super user access control check being applied only to specific controllers (review, log). This leaves other controllers – alerts, ajax, edit, add, detail, browse – accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations, operations that should require administrator privileges.

Recommendations Versions prior to 8.0.0.1 should be updated to version 8.0.0.1 or later.