CVE-2026-34053 HIGH

CVE-2026-34053: OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler

Vendor Openemr

Product openemr

Weakness CWE-862 · Missing authorization

Published March 25, 2026

Last update March 26, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.

Key dates

02Disclosure timeline

March 25, 2026 CVE published

March 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34053 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-67561 WordPress Debug Log Viewer plugin <= 2.0.3 - Broken Access Control vulnerability CVE-2025-23961 WordPress WordPress Graphs & Charts Plugin <= 2.0.8 - Broken Access Control vulnerability CVE-2025-62976 WordPress Sendle Shipping plugin <= 6.02 - Broken Access Control vulnerability CVE-2025-14618 Sweet Energy Efficiency <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion CVE-2026-3143 Total Upkeep <= 1.17.1 - Missing Authorization to Unauthenticated Rollback Cancellation