CVE-2026-33305

EUVD-2026-13227

19.03.2026, 21:17

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
GitHub_M	CNA	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
open-emr	openemr	𝑥 < 8.0.0.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc

Common Weakness Enumeration

CWE-696 - Incorrect Behavior Order
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

References

https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11

https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc