Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any "allow" (user or group). It never checks for explicit "deny" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via ignored ACL denies
Action: Immediate Patch
AI Analysis

Impact

OpenEMR’s ACL check function fails to honor explicit deny rules, allowing any user or group that has an allow entry to bypass security restrictions. The flaw means that administrators cannot revoke access by setting a deny, so users can gain unauthorized privileges to access sensitive features or data. This can compromise both confidentiality and integrity of patient records.

Affected Systems

The vulnerability affects OpenEMR version 8.0.0 and earlier, up to but not including the patched release 8.0.0.2. Any installation of 8.0.0.0 or 8.0.0.1 is impacted. Operators should confirm which minor release they are running and apply the corrected version if necessary.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA known exploited vulnerabilities catalog. The flaw can be abused by authenticated users who can modify ACL settings, likely through the web interface or administrative console. An attacker could elevate privileges by ensuring an allow rule exists for a target user, thereby bypassing any explicit deny entries. The impact can extend to unauthorized access to patient data and system configuration.

Generated by OpenCVE AI on March 20, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.2 or later, which implements the correct deny logic
  • Verify that ACL configurations are reviewed so no unintended allow rules remain for restricted users
  • After upgrading, test access controls to confirm deny rules are enforced
  • Apply the patch across all environments and monitor for configuration anomalies

Generated by OpenCVE AI on March 20, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any "allow" (user or group). It never checks for explicit "deny" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue.
Title OpenEMR: zhAclCheck Ignores Explicit ACL Denies
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:20:42.266Z

Reserved: 2026-03-18T18:55:47.428Z

Link: CVE-2026-33302

cve-icon Vulnrichment

Updated: 2026-03-20T20:20:37.131Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:11.380

Modified: 2026-03-20T15:53:44.370

Link: CVE-2026-33302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:05Z

Weaknesses