Authentication Bypass Vulnerability in OpenEMR by OpenEMR
CVE-2026-33915

5.4MEDIUM

Key Information:

Vendor

Openemr

Status
Openemr
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33915?

OpenEMR, a widely-used electronic health records and medical practice management application, contains a significant vulnerability affecting its API. Specifically, prior to version 8.0.0.3, the application lacks essential authorization checks on five REST API routes related to insurance companies. This oversight allows any authenticated user of the API to create and alter sensitive insurance company records, circumventing the necessary administrative permissions that should have been enforced by the application. Users are highly encouraged to update to the patched version to secure their systems against potential misuse of this vulnerability.

Affected Version(s)

openemr < 8.0.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/976d2a85f024a73...
x_refsource_MISC
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.