What is the CVSS score of CVE-2026-33302?

CVE-2026-33302 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Openemr are affected by CVE-2026-33302?

OpenEMR contains a remote code execution vulnerability (CVSS 8.1) that could allow attackers to execute arbitrary code on healthcare systems, directly compromising patient data confidentiality,…. A patch is available.

How to fix or mitigate CVE-2026-33302?

Within 24 hours: Identify all OpenEMR instances in production and document current versions. Within 7 days: Apply vendor-released patch to all affected OpenEMR systems and verify successful deployment. Within 30 days: Conduct vulnerability scan to confirm remediation and perform access logging review for suspicious activity during the gap period.

Openemr CVE-2026-33302

EUVD-2026-13221 HIGH

Incorrect Authorization (CWE-863)

2026-03-19 GitHub_M

Authentication Bypass Openemr

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:20 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

8.0.0.2

EUVD ID Assigned

Mar 19, 2026 - 21:00 euvd

EUVD-2026-13221

Analysis Generated

Mar 19, 2026 - 21:00 vuln.today

CVE Published

Mar 19, 2026 - 20:23 nvd

HIGH 8.1

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function AclMain::zhAclCheck() only checks for the presence of any "allow" (user or group). It never checks for explicit "deny" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue.

AnalysisAI

A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privilege user

Delivery

User inherits allow from group membership

Exploit

Request protected resource

Execution

ACL check ignores explicit deny rules

Impact

Access granted despite administrative restrictions