CVE-2026-33910
Received Received - Intake
SQL Injection in OpenEMR Patient Selection Allows Data Access

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33910
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection issue found in OpenEMR versions up to and including 8.0.0.2. It occurs in the patient selection feature due to insufficient input validation, allowing authenticated attackers to manipulate database queries.

Impact Analysis

Exploitation of this vulnerability can lead to severe impacts including unauthorized access to sensitive patient data, modification or deletion of data, and disruption of the application’s availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.3 or later, as this version contains the patch that fixes the SQL injection vulnerability in the patient selection feature.

Compliance Impact

The vulnerability is a SQL injection in OpenEMR's patient selection feature that can be exploited by authenticated attackers, potentially leading to unauthorized access or modification of sensitive patient data.

Since OpenEMR is an electronic health records application, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of protected health information (PHI), which is critical for compliance with regulations such as HIPAA.

Similarly, unauthorized access or data breaches resulting from this vulnerability could impact compliance with data protection regulations like GDPR, which require safeguarding personal data.

Detection Guidance

This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0.3, as versions up to and including 8.0.0.2 contain the SQL injection flaw in the patient selection feature.

To detect exploitation attempts or presence of the vulnerability, you can look for suspicious entries in the `layout_options` table, especially in the `field_id` column, which may contain SQL injection payloads such as "injection'payload" or "1 OR 1=1".

Suggested commands to investigate the database for suspicious entries include:

  • Using SQL to query the `layout_options` table for suspicious patterns: SELECT * FROM layout_options WHERE field_id LIKE "%' OR %" OR field_id LIKE "%--%" OR field_id LIKE "%;--%";
  • Checking for errors or unusual logs in the application logs that indicate SQL syntax errors related to patient selection queries.

Additionally, verifying the OpenEMR version can be done by checking the application version or the version file to ensure it is 8.0.0.3 or later, which contains the patch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33910. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart