Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to forge requests from the server made to external or internal resources. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forging
Action: Immediate Patch
AI Analysis

Impact

A server‑side request forgery was discovered in the PDF generation routine that processes eye exam form answers. The answers are parsed as unescaped HTML, allowing an attacker to embed URLs that the server then requests out‑of‑band. This flaw enables the server to contact arbitrary external or internal endpoints, potentially exposing sensitive data, enumerating internal services, or chaining to other vulnerabilities. The weakness corresponds to CWE‑918 and carries a CVSS score of 7.2.

Affected Systems

The flaw exists in OpenEMR releases prior to 8.0.0.2. Users who have the "Notes ­– my encounters" role, which allows them to fill and print eye exam forms as PDFs, are susceptible. Any deployment of OpenEMR before the 8.0.0.2 update that provides this functionality is affected.

Risk and Exploitability

The CVSS score indicates a high risk, and with an EPSS below 1 % the likelihood of a widespread exploitation today is low, yet the possibility of targeted attacks remains. Because the attack requires the ability to submit form data, an attacker would need either access to the application user interface or a privilege escalation within the application. The flaw is not currently listed in CISA's KEV catalog, but the expansion of network‑based attacks via SSRF makes it a high‑severity concern that should be addressed promptly.

Generated by OpenCVE AI on March 20, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenEMR 8.0.0.2 update or later to remove the SSRF vulnerability.
  • Limit the "Notes ­– my encounters" role to trusted users and consider disabling it if not essential.
  • Implement web‑server or application firewall rules that restrict outbound connections from the OpenEMR server to only approved destinations.
  • If immediate patching is not possible, disable PDF rendering for eye exam forms until the issue is fixed or sanitize form input before generating PDFs.

Generated by OpenCVE AI on March 20, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to forge requests from the server made to external or internal resources. Version 8.0.0.2 fixes the issue.
Title OpenEMR has Out-of-Band Server-Side Request Forgery (OOB SSRF)
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T20:30:15.904Z

Reserved: 2026-03-18T21:23:36.677Z

Link: CVE-2026-33321

cve-icon Vulnrichment

Updated: 2026-03-19T20:30:06.401Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:12.017

Modified: 2026-03-20T15:03:34.663

Link: CVE-2026-33321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:06Z

Weaknesses