CVE-2026-33305 in OpenEMR
Summary
by MITRE • 03/19/2026
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-33305 affects OpenEMR versions prior to 8.0.0.2 and represents a critical authorization bypass flaw within the optional FaxSMS module. This issue stems from improper access control implementation where authenticated users can execute privileged controller methods without proper authentication checks. The vulnerability specifically impacts the AppDispatch constructor which processes user-controlled actions and terminates the execution flow before any access control list validation can occur. The flaw enables attackers to bypass intended security boundaries and access sensitive patient information through methods like getNotificationLog() which retrieves PHI data including patient appointment details. This represents a fundamental breakdown in the application's security architecture where the authorization mechanism fails to validate user permissions before executing sensitive operations. The vulnerability exists in the optional oe-module-faxsms module, indicating that even non-essential components can contain critical security flaws that affect the entire system's data protection posture. Organizations using OpenEMR versions before 8.0.0.2 face significant risk of unauthorized data access and potential privacy violations.
The technical implementation of this vulnerability demonstrates a classic flaw in access control design where the system fails to properly enforce authorization checks at the appropriate security boundary. The AppDispatch constructor acts as an entry point that processes user input without validating whether the requesting user possesses the necessary permissions to execute the targeted controller methods. This creates an arbitrary code execution vector where any authenticated user can invoke methods that should be restricted to specific user roles or privileges. The bypass occurs because the system exits the process flow before any access control validation can be performed, essentially allowing privilege escalation through improper input handling. This type of vulnerability aligns with CWE-285, which addresses improper authorization issues in software applications. The flaw specifically targets the module's architecture where user-controllable parameters are directly processed without proper sanitization or authorization verification, creating a pathway for unauthorized access to protected resources. The vulnerability's impact is amplified because it affects PHI data which is subject to strict regulatory requirements under healthcare privacy laws.
The operational impact of this vulnerability extends beyond simple data access to encompass potential compliance violations and security breaches that could affect patient privacy and organizational reputation. Any authenticated user within the OpenEMR system can exploit this flaw to access sensitive patient appointment information, appointment scheduling details, and other protected health information. This unauthorized access capability could lead to data breaches, privacy violations, and potential legal consequences under healthcare data protection regulations. The vulnerability's persistence across multiple versions indicates a systemic issue in the application's security implementation that could affect numerous organizations relying on OpenEMR for medical record management. The fact that this affects an optional module does not diminish its severity, as it demonstrates that even secondary components can contain critical flaws that compromise the entire system's security. Organizations may unknowingly expose sensitive patient data through this vulnerability, particularly in environments where multiple users have access to the system and proper access controls are not adequately enforced.
Mitigation strategies for this vulnerability require immediate implementation of the patched version 8.0.0.2 which addresses the authorization bypass through proper access control enforcement. Organizations should conduct comprehensive security assessments to identify any other modules or components that might exhibit similar authorization bypass patterns. The recommended approach involves implementing proper input validation and access control checks before any user-controllable actions are processed, ensuring that the AppDispatch constructor performs adequate authorization verification before executing controller methods. Security teams should also implement monitoring and logging of access attempts to detect potential exploitation attempts and establish proper audit trails for compliance purposes. The fix demonstrates the importance of implementing proper security boundaries and validation checks at all levels of application architecture, particularly in modules that handle sensitive data. Organizations should also consider implementing additional security controls such as role-based access controls, regular security assessments, and proper incident response procedures to address potential exploitation attempts. This vulnerability serves as a reminder of the critical importance of proper access control implementation in healthcare applications and the potential consequences of failing to enforce authorization checks properly. The remediation process should include thorough testing to ensure that access controls function correctly and that no other similar vulnerabilities exist within the application's codebase.