Openemr
CVE-2026-33918
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/get_claim_file.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user - regardless of whether they have billing privileges - to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.
AnalysisAI
Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires authenticated OpenEMR user account (any role) on versions prior to 8.0.0.3. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L indicates network-based exploitation with low attack complexity requiring authenticated access with no user interaction, yielding a 7.6 severity score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged credentials to an OpenEMR instance (such as a front desk staff account without billing permissions) directly accesses the interface/billing/get_claim_file.php endpoint over the network. By manipulating file parameters in HTTP requests with valid session and CSRF tokens, the attacker downloads electronic claim batch files containing patient names, diagnoses, procedures, and insurance information for hundreds of patients, then issues deletion requests to permanently remove the files and obstruct billing operations. … |
| Remediation | Upgrade OpenEMR to version 8.0.0.3 or later, which implements proper ACL permission checks on the billing file-download endpoint (release details at https://github.com/openemr/openemr/releases/tag/v8_0_0_3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit access logs for the billing file-download endpoint to identify unauthorized access or deletion activity by non-billing staff. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today