CVE-2026-34053

Discovered by AISLEPUBLISHEDCWE-862

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.

CVSS Base Scores

CVSS v3.1(Primary)

7.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Affected Products

Vendor	Product	Version	Status
openemr	openemr	< 8.0.0.3	affected

References

https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98
https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e
https://github.com/openemr/openemr/releases/tag/v8_0_0_3