{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33918", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-25T23:35:06.883Z", "dateUpdated": "2026-03-26T18:09:09.836Z"}, "containers": {"cna": {"title": "OpenEMR Missing Authorization on Claim File Download Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m"}, {"name": "https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:35:06.883Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user \u2014 regardless of whether they have billing privileges \u2014 to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-g3p5-5grq-m65m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:09:02.801572Z", "id": "CVE-2026-33918", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:09:09.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33918", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:09:02.801572Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:09:06.700Z"}}], "cna": {"title": "OpenEMR Missing Authorization on Claim File Download Endpoint", "source": {"advisory": "GHSA-g3p5-5grq-m65m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188", "name": "https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user \u2014 regardless of whether they have billing privileges \u2014 to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:35:06.883Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33918", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:09:09.836Z", "dateReserved": "2026-03-24T15:41:47.492Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T23:35:06.883Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user \u2014 regardless of whether they have billing privileges \u2014 to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-33918", "lastModified": "2026-03-26T16:27:29.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T00:16:39.627", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T00:53:16.820063+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version\u202f8.0.0.3 or later to apply the patch that restores proper ACL enforcement on claim file downloads."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized PHI disclosure and deletion via authenticated download endpoint"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of OpenEMR prior to version\u202f8.0.0.3. Registered users of the platform who possess a valid login session can exploit this issue, regardless of whether they hold billing privileges. Updates are available in the 8.0.0.3 release from the OpenEMR project.", "description_and_impact": "OpenEMR\u2019s billing file\u2011download endpoint previously validated only session and CSRF credentials but omitted explicit ACL checks. This flaw permits any authenticated user to download and permanently delete electronic claim batch files that contain protected health information. The result is both inadvertent exposure of confidential PHI and loss of valuable medical data.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity moderate\u2011to\u2011high risk. Exploitation requires an authenticated session, making it more likely to be used by internal actors or attackers who gain user credentials. With no EPSS data or KEV listing, the exploit probability remains undefined, but the lack of authorization checks presents a clear opportunity for data compromise. The attack vector is inferred to be authenticated; the attacker must log in to the application and then request the download endpoint."}}}}, "created": "2026-03-26T11:31:10.334295+00:00", "updated": "2026-03-26T12:09:12.769842+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}