Primary

Context

OpenEMR Broken Access Control Vulnerability Allowing Unauthorized Access to eRx Error Logs

Vulnerability

A broken access control vulnerability has been identified in OpenEMR versions prior to and including 8.0.0.3. This vulnerability allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. The issue compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse.

Impact

Exploitation of this vulnerability allows low-privilege users to access administrative data, bypassing role-based access controls and exposing sensitive information.

Reproduction

To reproduce this vulnerability, log into OpenEMR as a low-privilege user, such as a physician. Navigate to the eRx log viewer interface. Despite lacking administrative privileges, the user will be able to access and download eRx error logs, demonstrating the absence of necessary authorization checks.

Added: Mar 26, 2026, 12:19 AM

Updated: Mar 26, 2026, 12:19 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

6.2

remediation

0.0

relevance

4.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

6.2

remediation

0.0

relevance

4.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenEMR Broken Access Control Vulnerability Allowing Unauthorized Access to eRx Error Logs

Vulnerability

Impact

Reproduction

Affected Products

OpenEMR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating