CVE-2026-33918

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188	Patch
https://github.com/openemr/openemr/releases/tag/v8_0_0_3	Product
https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

26 Mar 2026, 16:27

Type	Values Removed	Values Added
First Time		Open-emr openemr Open-emr
References	~~() https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188 -~~	() https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188 - Patch
References	~~() https://github.com/openemr/openemr/releases/tag/v8_0_0_3 -~~	() https://github.com/openemr/openemr/releases/tag/v8_0_0_3 - Product
References	~~() https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m -~~	() https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m - Vendor Advisory
CPE		cpe:2.3:a:open-emr:openemr::::::::

26 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 00:16

Updated : 2026-03-26 16:27

NVD link : CVE-2026-33918

Mitre link : CVE-2026-33918

CVE.ORG link : CVE-2026-33918

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-33918", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T00:16:39.627", "references": [{"url": "https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user \u2014 regardless of whether they have billing privileges \u2014 to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue."}], "lastModified": "2026-03-26T16:27:29.090", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}