Wiz
Vulnerability DatabaseCVE-2021-32101

CVE-2021-32101
OpenEMR vulnerability analysis and mitigation

Overview

CVE-2021-32101 affects the Patient Portal of OpenEMR 5.0.2.1, specifically related to incorrect access control in portal/patient/machineconfig.php. The vulnerability was discovered by researchers at SonarSource and disclosed in October 2020. This insecure API permissions vulnerability allows unauthenticated attackers to bypass authentication and access the system (Sonar Blog, Daily Swig).

Technical details

The vulnerability exists in the Patient Portal's API interface which uses the Phreeze framework as a dispatcher. The issue stems from improper session handling in portal/patient/machineconfig.php where an attacker can bypass authentication by making an initial HTTP request to register.php to set $_SESSION['register'] to true. Since the session variable is not destroyed at the end of the file, attackers can then access the dispatcher with $ignoreAuth set to true, effectively bypassing authentication controls (Sonar Blog).

Impact

Once authentication is bypassed, attackers can access all features of the API as a registered Patient Portal user. This allows unauthorized access to patient data, ability to change email addresses and passwords of patients, and modify information of any backend user including administrators. The vulnerability affects healthcare providers worldwide who use OpenEMR for managing sensitive patient data, including medical records, appointments, and billing information (Sonar Blog, Daily Swig).

Mitigation and workarounds

The vulnerability was patched in OpenEMR version 5.0.2.2 released in August 2020. Healthcare providers are strongly urged to update their OpenEMR installations to the patched version to protect against this vulnerability (OpenEMR Community, Sonar Blog).

Community reactions

The OpenEMR team responded quickly to the vulnerability report, rating the fixes as critical and releasing security patches immediately to protect users. Robert Down, chief operations officer at the OpenEMR Foundation, acknowledged the findings and emphasized their commitment to addressing critical security vulnerabilities (Daily Swig).

Additional resources

SourceThis report was generated using AI

Related OpenEMR vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-22611CRITICAL9.8
  • OpenEMROpenEMR
  • cpe:2.3:a:open-emr:openemr
NoYesApr 03, 2025
CVE-2025-43860HIGH7.6
  • OpenEMROpenEMR
  • cpe:2.3:a:open-emr:openemr
NoYesMay 23, 2025
CVE-2025-32794HIGH7.6
  • OpenEMROpenEMR
  • cpe:2.3:a:open-emr:openemr
NoYesMay 23, 2025
CVE-2025-31121HIGH7
  • OpenEMROpenEMR
  • cpe:2.3:a:open-emr:openemr
NoYesApr 01, 2025
CVE-2025-32967MEDIUM5.4
  • OpenEMROpenEMR
  • cpe:2.3:a:open-emr:openemr
NoYesMay 23, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo