Access Control Vulnerability in OpenEMR by OpenEMR
CVE-2026-33918

7.6HIGH

Key Information:

Vendor

Openemr

Status
Openemr
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33918?

OpenEMR, a widely used open-source electronic health records and medical practice management application, has a significant vulnerability affecting all versions prior to 8.0.0.3. This vulnerability lies in the billing file-download functionality, specifically within the interface/billing/get_claim_file.php endpoint. It allows any authenticated user to download and potentially delete electronic claim batch files that contain protected health information (PHI), without proper verification of access control list (ACL) permissions. Users with no billing privileges can exploit this flaw, posing serious risks to data confidentiality and integrity. The issue has been addressed in version 8.0.0.3.

Affected Version(s)

openemr < 8.0.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/f6d98d0102df0a8...
x_refsource_MISC
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.