CVE-2026-33915

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4	Patch
https://github.com/openemr/openemr/releases/tag/v8_0_0_3	Product
https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

26 Mar 2026, 16:26

Type	Values Removed	Values Added
References	~~() https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4 -~~	() https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4 - Patch
References	~~() https://github.com/openemr/openemr/releases/tag/v8_0_0_3 -~~	() https://github.com/openemr/openemr/releases/tag/v8_0_0_3 - Product
References	~~() https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp -~~	() https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp - Vendor Advisory
CPE		cpe:2.3:a:open-emr:openemr::::::::
First Time		Open-emr openemr Open-emr

26 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 00:16

Updated : 2026-03-26 16:26

NVD link : CVE-2026-33915

Mitre link : CVE-2026-33915

CVE.ORG link : CVE-2026-33915

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-33915", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T00:16:39.303", "references": [{"url": "https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue."}], "lastModified": "2026-03-26T16:26:16.513", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}