Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.
Published: 2026-03-25
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized download and deletion of PHI claim batch files by any authenticated user even without billing rights.
Action: Patch immediately
AI Analysis

Impact

A missing ACL check on the billing file‑download endpoint allows any authenticated OpenEMR user to download and permanently delete claim batch files that contain protected health information. This results in unauthorized disclosure of PHI and potential loss of critical data.

Affected Systems

OpenEMR installations running any version prior to 8.0.0.3 are affected. The flaw applies to all affected deployments regardless of user role, as the endpoint accepts authenticated sessions without validating billing privileges.

Risk and Exploitability

The CVSS score of 7.6 denotes a high severity, and the EPSS score of less than 1% suggests a low probability of observed exploitation. Nonetheless, because the vulnerability can be triggered by any logged‑in user, the risk to organizations handling PHI is significant. The fix is to apply the vendor patch; in the absence of a patch, accessing the endpoint without proper ACL checks is a serious security concern.

Generated by OpenCVE AI on March 26, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenEMR update to version 8.0.0.3 or later to resolve the missing ACL check.
  • Ensure that the claim file download endpoint is protected by policy and is only reachable by users with billing privileges.
  • Verify that session and CSRF token verification remain intact while adding the necessary ACL validation.

Generated by OpenCVE AI on March 26, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.
Title OpenEMR Missing Authorization on Claim File Download Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:09:09.836Z

Reserved: 2026-03-24T15:41:47.492Z

Link: CVE-2026-33918

cve-icon Vulnrichment

Updated: 2026-03-26T18:09:06.700Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:39.627

Modified: 2026-03-26T16:27:29.090

Link: CVE-2026-33918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:21Z

Weaknesses