PHP
CVE-2026-33934
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in portal/sign/lib/show-signature.php that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary user value in the POST body. The companion write endpoint (save-signature.php) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.
AnalysisAI
OpenEMR contains a missing authorization check in the signature retrieval endpoint (portal/sign/lib/show-signature.php) that allows any authenticated patient portal user to access the drawn signature images of arbitrary staff members by manipulating the POST parameter. Versions prior to 8.0.0.3 are affected, and while the companion write endpoint was previously hardened against this issue, the read endpoint was left vulnerable. This is a low-severity information disclosure vulnerability (CVSS 4.3) with limited real-world exploitability due to the requirement for prior authentication and the relatively low sensitivity of signature images compared to full medical records.
Technical ContextAI
The vulnerability exists in OpenEMR, a PHP-based electronic health records and medical practice management system. The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to validate that the authenticated user has permission to access signature resources belonging to other users. The vulnerable code path involves the show-signature.php script accepting a user parameter in the POST request body without verifying that the requesting patient portal user is authorized to view that specific staff member's signature. The companion save-signature.php endpoint was previously patched to implement proper authorization controls, establishing a pattern that was inconsistently applied across the codebase. This is a classic horizontal privilege escalation issue within an authenticated context.
RemediationAI
Immediately upgrade OpenEMR to version 8.0.0.3 or later, which includes the authorization check fix implemented in commit ae7ee1872d2e6300b165e24687cc90cf6847a4e5 (available at https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5). Until patching is possible, implement network-level access controls restricting patient portal access to trusted networks only, and review access logs for suspicious signature retrieval patterns (multiple user parameters from single patient accounts). Additionally, audit recent activity logs to determine if the vulnerability was exploited in your environment. The write endpoint (save-signature.php) should already be hardened, so focus remediation efforts on the read endpoint (show-signature.php) in the portal/sign/lib/ directory.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today