CVE-2026-33915

Source
https://cve.org/CVERecord?id=CVE-2026-33915
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33915.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33915
Aliases
  • GHSA-ww94-26v7-x4gp
Published
2026-03-25T23:23:40.694Z
Modified
2026-07-08T08:00:15.360807402Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
OpenEMR Missing ACL Checks on Insurance Company API Routes
Details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the RestConfig::request_authorization_check() call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33915.json"
}
References

Affected packages

Git / github.com/openemr/openemr

Affected ranges

Type
GIT
Repo
https://github.com/openemr/openemr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.0.0.3"
        }
    ],
    "cpe": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

Other
v2_7_2
v2_7_2-rc1
v2_7_2-rc2
v2_7_3-rc1
v2_8_0
v2_8_1
v2_8_2
v2_8_3
v2_9_0
v3_0_0
v3_0_1
v8_0_0
v8_0_0_1
v8_0_0_2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33915.json"