OpenEMR Authorization Bypass Vulnerability in Clinical Decision Rules Controller

A vulnerability in OpenEMR versions prior to 8.0.0.1 allows any authenticated user to bypass administrative privileges in the Clinical Decision Rules (CDR) subsystem. This issue arises from an inverted boolean condition in the ControllerRouter::route() method, which improperly enforces the admin/super ACL check. As a result, CDR controllers such as alerts, ajax, edit, add, detail, and browse are left accessible to all logged-in users. Exploiting this vulnerability enables users to suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations—actions that should require administrator rights.

Impact

This vulnerability leads to unauthorized access and modification rights within the Clinical Decision Rules subsystem, allowing non-admin users to perform tasks reserved for administrators. The ability to suppress clinical decision support alerts system-wide poses direct risks to patient safety, as it can interfere with critical reminders and drug interaction warnings. Furthermore, the unauthorized deletion or modification of clinical plans disrupts established workflows, potentially affecting the quality of care provided.

Reproduction

To reproduce this vulnerability, log in as a non-admin user. Access the CDR router via the interface/super/rules/index.php page, which is normally hidden from non-admin users but can be reached directly. Once there, submit a POST request to suppress alerts for a specific clinical rule. The absence of the admin ACL check will allow the request to be processed, bypassing the intended authorization requirements. After the request is processed, verify the suppression by checking the clinical_rules database for the updated alert flags, which should reflect the changes made.

Remediation

Users can update to OpenEMR version 8.0.0.1 or later, where this vulnerability has been fixed.