CVE-2026-33915 - Vulnerability Details

- OpenEMR Missing ACL Checks on Insurance Company API Routes

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.

Published: 2026-03-25

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenEMR lacks proper ACL checks on five REST API routes that manage insurance company data. Because the required authorization call is omitted, any authenticated API user can create or modify these records without administrative ACL permissions. This flaw undermines data integrity for insurance records managed by OpenEMR.

Affected Systems

The vulnerability impacts all OpenEMR deployments running a version prior to 8.0.0.3. Any installation using the standard REST API interface is susceptible. Versions 8.0.0.3 and later contain a patch that restores the missing authorization checks.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. Exploitation requires a valid API authentication token; with it, an attacker can perform data‑modifying operations on insurance company records with no additional privileges. Therefore, only authenticated users can abuse the flaw, and the attack vector is inferred to be API usage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openemr

affected

Version	Status	Constraints
`< 8.0.0.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Openemr

100%

Version	Status	Scheme	Platform
`[0,8.0.0.3)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenEMR to version 8.0.0.3 or newer
Verify the upgrade by checking the application version and restarting the service
Confirm that the API endpoints no longer allow unauthorized modifications
Monitor system logs for unusual API activity

Generated by OpenCVE AI on March 26, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp

History

Thu, 26 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-emr Open-emr openemr
CPEs		cpe:2.3:a:open-emr:openemr::::::::
Vendors & Products		Open-emr Open-emr openemr

Thu, 26 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openemr Openemr openemr
Vendors & Products		Openemr Openemr openemr

Wed, 25 Mar 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.
Title		OpenEMR Missing ACL Checks on Insurance Company API Routes
Weaknesses		CWE-862
References		https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4 https://github.com/openemr/openemr/releases/tag/v8_0_0_3 https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Open-emr Openemr

Openemr Openemr

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-25T23:23:40.694Z

Updated: 2026-03-26T15:02:43.569Z

Reserved: 2026-03-24T15:41:47.492Z

Link: CVE-2026-33915

Vulnrichment

Updated: 2026-03-26T14:43:37.400Z

NVD

Status : Analyzed

Published: 2026-03-26T00:16:39.303

Modified: 2026-03-26T16:26:16.513

Link: CVE-2026-33915

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:29:23Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object