CVE-2026-33915

Published: Mar 26, 2026 Last Modified: Mar 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,4

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: low

Availability: none

Description

AI Translation Available

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.

862

Missing Authorization

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control Availability

Potential Impacts:

Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)

Applicable Platforms

Technologies: AI/ML, Database Server, Not Technology-Specific, Web Server

Likelihood of Exploit: High

View CWE Details

https://github.com/openemr/openemr/commit/976d2a85f024a7309…

https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a7…

https://github.com/openemr/openemr/releases/tag/v8_0_0_3

https://github.com/openemr/openemr/security/advisories/GHSA…

https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp

CVE-2026-33915

Description

Missing Authorization

Common Consequences

Applicable Platforms

Iscriviti alla newsletter