Cyber Resilience

CVE-2026-33918

High

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0024 15.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33918 is a high-severity Missing Authorization (CWE-862) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-33918 is a missing authorization vulnerability (CWE-862) in OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0.3, the billing file-download endpoint at `interface/billing/get_claim_file.php` only validates for a valid session and CSRF token, without enforcing access control list (ACL) permissions. This flaw enables unauthorized access to sensitive billing data, earning a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

Any authenticated OpenEMR user, irrespective of billing privileges, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to download electronic claim batch files containing protected health information (PHI) and permanently delete them, resulting in high confidentiality impact alongside low integrity and availability impacts.

The issue is addressed in OpenEMR version 8.0.0.3, which patches the endpoint to include proper ACL checks. Relevant advisories and resources include the GitHub security advisory (GHSA-g3p5-5grq-m65m), the release notes for v8.0.0.3, and the fixing commit (f6d98d0102df0a8f131be560d9208fb65fba6188). Security practitioners should prioritize upgrading affected instances to mitigate exposure of PHI.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check…

more

any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Missing ACL on authenticated web endpoint directly enables remote exploitation of public-facing app (T1190) for unauthorized download of local billing files (T1005) and their deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25164Same product: Open-Emr Openemr
CVE-2026-34053Same product: Open-Emr Openemr
CVE-2026-32126Same product: Open-Emr Openemr
CVE-2026-25131Same product: Open-Emr Openemr
CVE-2025-29789Same product: Open-Emr Openemr
CVE-2026-33914Same product: Open-Emr Openemr
CVE-2026-34056Same product: Open-Emr Openemr
CVE-2026-33913Same product: Open-Emr Openemr
CVE-2026-24848Same product: Open-Emr Openemr
CVE-2026-32127Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for access to system resources, directly addressing the missing ACL permission check in the billing endpoint that allowed unauthorized downloads and deletions of PHI files.

prevent

Mandates least privilege to restrict access to only necessary privileges, preventing authenticated users without billing roles from accessing sensitive claim batch files.

prevent

Requires explicit authorization decisions for access to defined system resources by specific roles, mitigating the lack of ACL-based access decisions at the vulnerable endpoint.

References