Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33304 is an authorization bypass vulnerability in OpenEMR versions prior to 8.0.0.2 affecting the dated reminders log feature.'}, {'type': 'paragraph', 'content': 'This vulnerability allows any authenticated non-admin user to view reminder messages that belong to other users by manipulating the GET request parameters `sentTo[]` or `sentBy[]` with arbitrary user IDs.'}, {'type': 'paragraph', 'content': "The system was intended to restrict non-admin users to only see their own reminders, but the authorization check only applied if both parameters were absent. If a user supplied either parameter, the check was bypassed, allowing access to other users' reminders."}, {'type': 'paragraph', 'content': 'As a result, sensitive information such as patient names and free-text message content could be accessed by unauthorized users.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing Protected Health Information (PHI) to any authenticated non-admin user.

An attacker or unauthorized user can view reminder messages belonging to other users, including sensitive patient names and free-text message content.

Attackers can enumerate reminders across all users by iterating over user IDs, potentially gaining access to a large amount of sensitive data.

Although the vulnerability is read-only and does not allow modification or deletion of data, the confidentiality of sensitive health information is compromised.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the dated reminders log with crafted GET requests that include arbitrary user IDs in the `sentTo[]` or `sentBy[]` parameters as a non-admin authenticated user.'}, {'type': 'paragraph', 'content': "A practical detection method involves logging in as a non-admin user and issuing a GET request to the endpoint `/interface/main/dated_reminders/dated_reminders_log.php` with the `csrf_token_form` parameter and either `sentTo[]` or `sentBy[]` set to another user's ID."}, {'type': 'list_item', 'content': "Example curl command to test access to another user's reminders (replace `<token>` and `<user_id>` accordingly):"}, {'type': 'list_item', 'content': 'curl -b cookies.txt "https://<openemr-host>/interface/main/dated_reminders/dated_reminders_log.php?csrf_token_form=<token>&sentTo[]=<user_id>"'}, {'type': 'list_item', 'content': 'Similarly, test with `sentBy[]` parameter:'}, {'type': 'list_item', 'content': 'curl -b cookies.txt "https://<openemr-host>/interface/main/dated_reminders/dated_reminders_log.php?csrf_token_form=<token>&sentBy[]=<user_id>"'}, {'type': 'paragraph', 'content': "If the response contains reminder messages, patient names, or other users' data, the vulnerability is present."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability is fixed by enforcing proper authorization checks on the `sentBy` and `sentTo` parameters.

Until the upgrade can be applied, restrict access to the dated reminders log page for non-admin users or implement network-level controls to prevent unauthorized crafted GET requests.

Additionally, monitor and audit access logs for suspicious requests containing `sentBy[]` or `sentTo[]` parameters with arbitrary user IDs.

Useful 0 Not Useful 0