Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to PHI
Action: Apply Patch
AI Analysis

Impact

OpenEMR's optional FaxSMS module contains an authorization bypass in the AppDispatch constructor. The constructor accepts actions supplied by an authenticated user and exits before any calling code can enforce ACL checks. Consequently, methods such as getNotificationLog() can be invoked by any authenticated user, exposing patient appointment data that is considered PHI. The flaw lies entirely in the lack of permission verification, allowing unauthorized disclosure of confidential health information.

Affected Systems

All installations of OpenEMR running versions prior to 8.0.0.2, including those that include the FaxSMS optional module, are affected. The issue is limited to the FaxSMS module and does not impact the core OpenEMR functionality. Versions 8.0.0.2 and later contain the necessary fix.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, classifying it as a medium severity issue. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Attack requires the attacker to be an authenticated user within the OpenEMR system; no remote code execution or privilege escalation is possible. Because the flaw allows the retrieval of PHI without proper authorization, the potential impact on confidentiality is significant for affected users.

Generated by OpenCVE AI on March 20, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenEMR patch (8.0.0.2 or later).
  • If upgrading is not immediately possible, disable the FaxSMS module or restrict its use through ACLs.
  • Verify that getNotificationLog is no longer callable by users without permission.
  • Monitor application logs for suspicious notification log calls.

Generated by OpenCVE AI on March 20, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.
Title OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor
Weaknesses CWE-696
CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:31:08.059Z

Reserved: 2026-03-18T18:55:47.428Z

Link: CVE-2026-33305

cve-icon Vulnrichment

Updated: 2026-03-21T03:31:01.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:11.863

Modified: 2026-03-20T15:05:28.337

Link: CVE-2026-33305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:02Z

Weaknesses