CVE-2026-33305

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11	Patch
https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 21:17

Updated : 2026-03-20 15:05

NVD link : CVE-2026-33305

Mitre link : CVE-2026-33305

CVE.ORG link : CVE-2026-33305

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-696

Incorrect Behavior Order

CWE-862

Missing Authorization

{"id": "CVE-2026-33305", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-19T21:17:11.863", "references": [{"url": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-696"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods \u2014 including `getNotificationLog()`, which returns patient appointment data (PHI) \u2014 regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Antes de la versi\u00f3n 8.0.0.2, una omisi\u00f3n de autorizaci\u00f3n en el m\u00f3dulo opcional FaxSMS ('oe-module-faxsms') permite a cualquier usuario autenticado de OpenEMR invocar m\u00e9todos de controlador \u2014 incluyendo 'getNotificationLog()', que devuelve datos de citas de pacientes (PHI) \u2014 independientemente de si poseen los permisos ACL requeridos. El constructor 'AppDispatch' despacha acciones controladas por el usuario y sale del proceso antes de que cualquier c\u00f3digo de llamada pueda aplicar las comprobaciones ACL. La versi\u00f3n 8.0.0.2 corrige el problema."}], "lastModified": "2026-03-20T15:05:28.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34", "versionEndExcluding": "8.0.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}