CVE-2026-33915 (GCVE-0-2026-33915)
Vulnerability from cvelistv5 – Published: 2026-03-25 23:23 – Updated: 2026-03-26 15:02
VLAI?
Title
OpenEMR Missing ACL Checks on Insurance Company API Routes
Summary
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33915",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:43:29.988298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T15:02:43.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openemr",
"vendor": "openemr",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T23:29:56.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp"
},
{
"name": "https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4"
},
{
"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"
}
],
"source": {
"advisory": "GHSA-ww94-26v7-x4gp",
"discovery": "UNKNOWN"
},
"title": "OpenEMR Missing ACL Checks on Insurance Company API Routes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33915",
"datePublished": "2026-03-25T23:23:40.694Z",
"dateReserved": "2026-03-24T15:41:47.492Z",
"dateUpdated": "2026-03-26T15:02:43.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33915",
"date": "2026-04-17",
"epss": "0.00034",
"percentile": "0.09845"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33915\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T00:16:39.303\",\"lastModified\":\"2026-03-26T16:26:16.513\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.\"},{\"lang\":\"es\",\"value\":\"OpenEMR es una aplicaci\u00f3n de gesti\u00f3n de pr\u00e1cticas m\u00e9dicas y registros de salud electr\u00f3nicos de c\u00f3digo abierto y gratuita. Antes de la versi\u00f3n 8.0.0.3, cinco rutas de la API REST de compa\u00f1\u00edas de seguros carecen de la llamada \u0027RestConfig::request_authorization_check()\u0027 que utiliza cualquier otra ruta de modificaci\u00f3n de datos en la API est\u00e1ndar. Esto permite a cualquier usuario de la API autenticado crear y modificar registros de compa\u00f1\u00edas de seguros incluso si su cuenta de usuario de OpenEMR no tiene permisos ACL administrativos. La versi\u00f3n 8.0.0.3 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.0.0.3\",\"matchCriteriaId\":\"E3E098AF-42A1-4798-85A7-80052F19F809\"}]}]}],\"references\":[{\"url\":\"https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33915\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T14:43:29.988298Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T14:43:37.400Z\"}}], \"cna\": {\"title\": \"OpenEMR Missing ACL Checks on Insurance Company API Routes\", \"source\": {\"advisory\": \"GHSA-ww94-26v7-x4gp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"openemr\", \"product\": \"openemr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 8.0.0.3\"}]}], \"references\": [{\"url\": \"https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp\", \"name\": \"https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4\", \"name\": \"https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\", \"name\": \"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T23:29:56.335Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33915\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T15:02:43.569Z\", \"dateReserved\": \"2026-03-24T15:41:47.492Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T23:23:40.694Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…