CVE-2026-33913
Published: 25 March 2026
Summary
CVE-2026-33913 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of uploaded CCDA documents to block crafted XML external entities that enable arbitrary server file reads.
Mandates timely identification, reporting, and patching of the specific XXE flaw in OpenEMR's Carecoordination module to version 8.0.0.3.
Enforces secure baseline configuration settings for XML parsers to disable external entity processing and prevent XXE exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in Carecoordination module directly enables arbitrary local file reads (e.g. file:///etc/passwd), mapping to Data from Local System collection technique.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href="file:///etc/passwd" parse="text"/>` to read…
more
arbitrary files from the server. Version 8.0.0.3 patches the issue.
Deeper analysisAI
CVE-2026-33913 is a vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 are affected in the Carecoordination module, where an authenticated user can upload a crafted CCDA document containing an `<xi:include href="file:///etc/passwd" parse="text"/>` element. This enables arbitrary file reads from the server and is classified as CWE-611 (Improper Restriction of XML External Entity Reference), with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
An authenticated attacker with access to the Carecoordination module can exploit this remotely over the network with low attack complexity and low privileges required, without user interaction. Successful exploitation allows reading arbitrary files on the server, resulting in high confidentiality impact due to the vulnerability's changed scope.
OpenEMR version 8.0.0.3 patches the issue. Mitigation involves updating to this release, as detailed in the patch commit (https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11), release notes (https://github.com/openemr/openemr/releases/tag/v8_0_0_3), and security advisory (https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q).
Details
- CWE(s)