Vulnerability Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Emr | Openemr | < 8.0.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a6785Patch
- https://github.com/openemr/openemr/releases/tag/v8_0_0_3Product
- https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98ExploitVendor Advisory
- https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98ExploitVendor Advisory
FAQ
What is CVE-2026-34053?
CVE-2026-34053 is a vulnerability with a CVSS score of 7.1 (HIGH). OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/...
How severe is CVE-2026-34053?
CVE-2026-34053 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34053?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.