{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32120", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.544Z", "datePublished": "2026-03-25T22:27:38.208Z", "dateUpdated": "2026-03-26T15:02:55.022Z"}, "containers": {"cna": {"title": "OpenEMR has IDOR in Fee Sheet Product Save", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847"}, {"name": "https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:42:42.284Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch."}], "source": {"advisory": "GHSA-pvvj-mv7h-7847", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:44:58.847837Z", "id": "CVE-2026-32120", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:02:55.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32120", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:44:58.847837Z"}}}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:45:13.168Z"}}], "cna": {"title": "OpenEMR has IDOR in Fee Sheet Product Save", "source": {"advisory": "GHSA-pvvj-mv7h-7847", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc", "name": "https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:42:42.284Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32120", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:02:55.022Z", "dateReserved": "2026-03-10T22:19:36.544Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T22:27:38.208Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para la gesti\u00f3n de historias cl\u00ednicas electr\u00f3nicas y consultas m\u00e9dicas. Antes de la versi\u00f3n 8.0.0.3, una vulnerabilidad de referencia directa a objetos insegura (IDOR) en la l\u00f3gica de guardado del producto \u00abhoja de tarifas\u00bb (`library/FeeSheet.class.php`) permite a cualquier usuario autenticado con acceso ACL a la hoja de tarifas eliminar, modificar o leer registros `drug_sales` pertenecientes a pacientes arbitrarios mediante la manipulaci\u00f3n del campo oculto del formulario `prod[][sale_id]`. El m\u00e9todo `save()` utiliza el `sale_id` proporcionado por el usuario en cinco consultas SQL (SELECT, UPDATE, DELETE) sin verificar que el registro pertenezca al paciente y a la consulta actuales. La versi\u00f3n 8.0.0.3 contiene un parche."}], "id": "CVE-2026-32120", "lastModified": "2026-03-26T18:03:30.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T23:17:09.510", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/c5b4dd8caf2af70617cc58d39188621ed90543dc"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T19:36:11.899161+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or later to apply the vendor patch", "Verify that users have only the necessary fee sheet ACL privileges", "Monitor web requests for anomalous sale_id values that do not match the current patient context"], "summary": {"action": "Apply Patch", "impact": "Unauthorized manipulation of patient drug sales records via IDOR"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OpenEMR installations before version 8.0.0.3. The patch included in the 8.0.0.3 release eliminates the IDOR flaw. Systems running the affected code base should be identified and upgraded to a non\u2011vulnerable release.", "description_and_impact": "An Insecure Direct Object Reference exists in OpenEMR\u2019s fee sheet product save logic, allowing a user with fee sheet ACL access to delete, modify, or read drug sales records for any patient by changing a hidden form field. The application accepts the supplied record identifier without verifying ownership or patient context, so the integrity of drug sales data can be compromised and confidential patient information may be exposed.", "risk_and_exploitability": "The CVSS score indicates a moderate severity of 6.5 and the EPSS score is reported as below 1\u202f%, suggesting low current exploit probability. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack requires authentication and possession of fee sheet ACL rights; the likely vectors include web form manipulation or replay of valid requests. Exploitation would enable attackers to compromise patient data integrity and confidentiality."}}}}, "created": "2026-03-26T11:31:21.585019+00:00", "updated": "2026-03-27T09:29:30.813599+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}