CVE-2026-34055

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an issue in the legacy patient notes functions located in library/pnotes.inc.php. These functions perform updates and deletes using WHERE id = ? without verifying user authorization to access the patient's note. User-controlled note IDs are directly passed to these functions through multiple web UI callers. This is similar to a REST API IDOR issue. The vulnerable functions include update and delete operations. The vulnerable parameter is id.

Recommendations Update to version 8.0.0.3 or later.