CVE-2026-33321
Published: 19 March 2026
Summary
CVE-2026-33321 is a high-severity SSRF (CWE-918) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SSRF vulnerability by applying the patch in OpenEMR version 8.0.0.2 that fixes unescaped HTML parsing in the PDF creation function.
Validates and sanitizes Eye Exam form inputs to block malicious HTML that could be parsed during PDF generation and trigger OOB SSRF.
Filters form answers prior to HTML parsing in PDF generation to prevent forged server-side requests to external or internal resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing OpenEMR web app (T1190) directly enables internal network probing and service enumeration (T1046, T1018) via crafted form input during PDF generation.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can…
more
be printed out in PDF form. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to forge requests from the server made to external or internal resources. Version 8.0.0.2 fixes the issue.
Deeper analysisAI
CVE-2026-33321 is an Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.2 and resides in the PDF creation function used for Eye Exam forms within patient encounters. Specifically, form answers submitted by users are parsed as unescaped HTML, enabling the forgery of requests from the server to external or internal resources. The vulnerability is rated with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) and is associated with CWE-918.
Authenticated users with the "Notes - my encounters" role can exploit this vulnerability by filling out Eye Exam forms in patient encounters and then printing them as PDFs. This triggers the SSRF during PDF generation, allowing attackers to make unauthorized requests from the server to arbitrary internal or external destinations. Successful exploitation can lead to high confidentiality impacts, such as accessing internal network resources, along with low integrity and availability effects, all without requiring user interaction beyond the low-privilege role.
The OpenEMR security advisory (GHSA-5pc3-2crw-96rv) and the fixing commit (dccc962f06bdf6105ca85c277915167caf3e7c28) confirm that upgrading to version 8.0.0.2 resolves the issue by addressing the unescaped HTML parsing in the PDF function. Security practitioners should prioritize patching affected OpenEMR instances to mitigate risks in healthcare environments.
Details
- CWE(s)