{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34053", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T15:29:04.746Z", "datePublished": "2026-03-25T23:46:21.596Z", "dateUpdated": "2026-03-26T15:02:37.508Z"}, "containers": {"cna": {"title": "OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98"}, {"name": "https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:46:21.596Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-3vvq-pfq6-pw98", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:20:05.432951Z", "id": "CVE-2026-34053", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:02:37.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34053", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:20:05.432951Z"}}}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:20:15.465Z"}}], "cna": {"title": "OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler", "source": {"advisory": "GHSA-3vvq-pfq6-pw98", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e", "name": "https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:46:21.596Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34053", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:02:37.508Z", "dateReserved": "2026-03-25T15:29:04.746Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T23:46:21.596Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-34053", "lastModified": "2026-03-26T16:17:22.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T00:16:41.057", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T04:44:25.863629+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or later to apply the vendor patch."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized deletion of patient procedure records"}, "threat_synthesis": {"affected_systems": "Installations of OpenEMR prior to version 8.0.0.3 are affected. The vulnerability exists in the deletion handler located at interface/forms/procedure_order/handle_deletions.php and does not enforce role\u2011based restrictions, exposing all user roles to delete any patient record.", "description_and_impact": "A missing authorization check in the AJAX deletion endpoint allows any authenticated user to irrevocably delete procedure orders, answers, and specimens belonging to any patient. This breach of access control undermines the integrity of patient data, potentially causing loss of clinically relevant information and violating health data protection regulations.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate\u2011to\u2011high severity. Exploitation requires only legitimate authentication, meaning any logged\u2011in user can trigger the deletion action. The vulnerability is not listed in the CISA KEV catalog, and EPSS data is unavailable, but the absence of proper access controls significantly increases the attack surface for authenticated users."}}}}, "created": "2026-03-26T11:31:04.014661+00:00", "updated": "2026-03-26T12:09:06.027432+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}