CVE-2026-33321
OOB SSRF in OpenEMR PDF Generation via Unescaped HTML
Publication date: 2026-03-19
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33321 is a high severity Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability in OpenEMR versions up to 8.0.0.1. It occurs in the PDF creation function of the Eye Exam form within patient encounters, where answers entered by users with the "Notes - my encounters" role are parsed as unescaped HTML.'}, {'type': 'paragraph', 'content': 'This allows an attacker to inject malicious HTML tags, such as an <img> tag, causing the OpenEMR server to make unauthorized HTTP requests to external or internal resources. The vulnerability arises because the form answers are not properly sanitized before being included in the PDF report.'}] [1]
How can this vulnerability impact me? :
The impacts of this vulnerability include:
- Disclosure of the serverβs real IP address.
- Probing of internal services or servers.
- Generation of large volumes of traffic to unintended resources, potentially causing the server to be blacklisted.
- Downloading arbitrary images or files into the system and patient records.
- Other unspecified attacks leveraging the SSRF vector.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized HTTP requests originating from the OpenEMR server, especially those triggered during PDF generation of Eye Exam forms.'}, {'type': 'paragraph', 'content': 'One practical detection method is to check logs or network traffic for outbound requests to unusual or attacker-controlled external URLs, such as webhook.site or other unexpected domains.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the Eye Exam form inputs for injected HTML tags like <img> tags in the HPI field or other form fields can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound HTTP requests from the OpenEMR server: tcpdump -i eth0 'tcp dst port 80 or 443'"}, {'type': 'list_item', 'content': "Search web server logs for unusual outbound requests or URLs: grep -i 'http' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Inspect the Eye Exam form data in the database for suspicious HTML content, for example using SQL queries to find <img> tags or external URLs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to update OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed by sanitizing form output to prevent injection of unescaped HTML in the PDF generation process.'}, {'type': 'paragraph', 'content': "Until the update can be applied, restrict or review user roles that have the 'Notes - my encounters' permission, as these roles can exploit the vulnerability."}, {'type': 'paragraph', 'content': 'Monitor and block suspicious outbound HTTP requests from the server to prevent exploitation and data leakage.'}, {'type': 'paragraph', 'content': "Consider applying network-level controls such as firewall rules to limit the server's ability to make arbitrary outbound HTTP requests."}] [1]