CVE-2026-33934 (GCVE-0-2026-33934)
Vulnerability from cvelistv5 – Published: 2026-03-25 23:41 – Updated: 2026-03-26 18:09
VLAI?
Title
OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures
Summary
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.
Severity ?
4.3 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33934",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T18:09:29.017140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T18:09:35.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openemr",
"vendor": "openemr",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T23:41:51.601Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q"
},
{
"name": "https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5"
},
{
"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"
}
],
"source": {
"advisory": "GHSA-w9w5-7x6h-657q",
"discovery": "UNKNOWN"
},
"title": "OpenEMR\u0027s Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33934",
"datePublished": "2026-03-25T23:41:51.601Z",
"dateReserved": "2026-03-24T19:50:52.103Z",
"dateUpdated": "2026-03-26T18:09:35.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33934",
"date": "2026-04-17",
"epss": "0.00042",
"percentile": "0.12545"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33934\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T00:16:40.290\",\"lastModified\":\"2026-03-26T16:28:33.680\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.\"},{\"lang\":\"es\",\"value\":\"OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para la gesti\u00f3n de registros de salud electr\u00f3nicos y pr\u00e1ctica m\u00e9dica. Las versiones anteriores a la 8.0.0.3 tienen una verificaci\u00f3n de autorizaci\u00f3n faltante en \u0027portal/sign/lib/show-signature.php\u0027 que permite a cualquier usuario autenticado del portal de pacientes recuperar la imagen de la firma dibujada de cualquier miembro del personal al proporcionar un valor \u0027user\u0027 arbitrario en el cuerpo POST. El endpoint de escritura asociado (\u0027save-signature.php\u0027) ya estaba reforzado contra este mismo problema, pero el endpoint de lectura no se actualiz\u00f3 para coincidir. La versi\u00f3n 8.0.0.3 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.0.0.3\",\"matchCriteriaId\":\"E3E098AF-42A1-4798-85A7-80052F19F809\"}]}]}],\"references\":[{\"url\":\"https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33934\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T18:09:29.017140Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T18:09:32.903Z\"}}], \"cna\": {\"title\": \"OpenEMR\u0027s Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures\", \"source\": {\"advisory\": \"GHSA-w9w5-7x6h-657q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"openemr\", \"product\": \"openemr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 8.0.0.3\"}]}], \"references\": [{\"url\": \"https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q\", \"name\": \"https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5\", \"name\": \"https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\", \"name\": \"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T23:41:51.601Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33934\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T18:09:35.818Z\", \"dateReserved\": \"2026-03-24T19:50:52.103Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T23:41:51.601Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…