CVE-2026-33301
Arbitrary File Read in OpenEMR PDF Eye Exam Export
Publication date: 2026-03-19
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33301 is an arbitrary file read vulnerability in OpenEMR versions prior to 8.0.0.2, specifically in the PDF generation function for Eye Exam forms.'}, {'type': 'paragraph', 'content': "Users with the 'Notes - my encounters' role can inject unescaped HTML image tags into the form answers. When the PDF is generated, the server reads and embeds the referenced local files from the server filesystem into the PDF."}, {'type': 'paragraph', 'content': 'This allows an attacker with limited privileges to read arbitrary files on the server, potentially exposing sensitive patient data or other confidential information.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information by allowing an attacker to read arbitrary files on the OpenEMR server.
- Exposure of sensitive patient data stored on the server.
- Disclosure of confidential server files that could aid further attacks.
- Potential privacy violations due to leakage of protected health information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying if your OpenEMR installation is a version prior to 8.0.0.2 and if users with the "Notes - my encounters" role can insert unescaped HTML image tags in the Eye Exam form\'s HPI field.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to reproduce the exploit steps in a controlled environment:'}, {'type': 'list_item', 'content': 'Place an arbitrary image file on the server.'}, {'type': 'list_item', 'content': 'Log in as a user with the "Notes - my encounters" role.'}, {'type': 'list_item', 'content': 'Open or create a patient encounter and access the Eye Exam form.'}, {'type': 'list_item', 'content': 'Insert an HTML image tag referencing a local file path (e.g., <img src=file:///path/to/file>) in the HPI field.'}, {'type': 'list_item', 'content': 'Save the form and generate the PDF report.'}, {'type': 'paragraph', 'content': 'If the generated PDF includes the referenced local file, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided in the available resources, but monitoring PDF generation logs or scanning for OpenEMR versions prior to 8.0.0.2 can help identify vulnerable systems.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed by sanitizing form output to prevent injection of unescaped HTML.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict or review user permissions to ensure that only trusted users have the "Notes - my encounters" role, as this role is required to exploit the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit PDF generation activities for suspicious or unexpected file inclusions.'}] [1]