CVE-2026-33918
Published: 26 March 2026
Summary
CVE-2026-33918 is a high-severity Missing Authorization (CWE-862) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to system resources, directly addressing the missing ACL permission check in the billing endpoint that allowed unauthorized downloads and deletions of PHI files.
Mandates least privilege to restrict access to only necessary privileges, preventing authenticated users without billing roles from accessing sensitive claim batch files.
Requires explicit authorization decisions for access to defined system resources by specific roles, mitigating the lack of ACL-based access decisions at the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing ACL on authenticated web endpoint directly enables remote exploitation of public-facing app (T1190) for unauthorized download of local billing files (T1005) and their deletion (T1070.004).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check…
more
any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.
Deeper analysisAI
CVE-2026-33918 is a missing authorization vulnerability (CWE-862) in OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0.3, the billing file-download endpoint at `interface/billing/get_claim_file.php` only validates for a valid session and CSRF token, without enforcing access control list (ACL) permissions. This flaw enables unauthorized access to sensitive billing data, earning a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).
Any authenticated OpenEMR user, irrespective of billing privileges, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to download electronic claim batch files containing protected health information (PHI) and permanently delete them, resulting in high confidentiality impact alongside low integrity and availability impacts.
The issue is addressed in OpenEMR version 8.0.0.3, which patches the endpoint to include proper ACL checks. Relevant advisories and resources include the GitHub security advisory (GHSA-g3p5-5grq-m65m), the release notes for v8.0.0.3, and the fixing commit (f6d98d0102df0a8f131be560d9208fb65fba6188). Security practitioners should prioritize upgrading affected instances to mitigate exposure of PHI.
Details
- CWE(s)