CVE-2026-32120

MEDIUM 6.5

OpenEMR has IDOR in Fee Sheet Product Save

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

7th

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch.

CWE	CWE-639
Vendor	openemr
Product	openemr
Published	Mar 25, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for openemr openemr

Be the first to know when new medium vulnerabilities affecting openemr openemr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

openemr / openemr

< 8.0.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847 github.com: https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc github.com: https://github.com/openemr/openemr/releases/tag/v8_0_0_3