CVE-2026-33910
SQL Injection in OpenEMR Patient Selection Allows Data Access
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in OpenEMR versions up to and including 8.0.0.2. It occurs in the patient selection feature due to insufficient input validation, allowing authenticated attackers to manipulate database queries.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to severe impacts including unauthorized access to sensitive patient data, modification or deletion of data, and disruption of the applicationβs availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.3 or later, as this version contains the patch that fixes the SQL injection vulnerability in the patient selection feature.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a SQL injection in OpenEMR's patient selection feature that can be exploited by authenticated attackers, potentially leading to unauthorized access or modification of sensitive patient data.
Since OpenEMR is an electronic health records application, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of protected health information (PHI), which is critical for compliance with regulations such as HIPAA.
Similarly, unauthorized access or data breaches resulting from this vulnerability could impact compliance with data protection regulations like GDPR, which require safeguarding personal data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0.3, as versions up to and including 8.0.0.2 contain the SQL injection flaw in the patient selection feature.
To detect exploitation attempts or presence of the vulnerability, you can look for suspicious entries in the `layout_options` table, especially in the `field_id` column, which may contain SQL injection payloads such as "injection'payload" or "1 OR 1=1".
Suggested commands to investigate the database for suspicious entries include:
- Using SQL to query the `layout_options` table for suspicious patterns: SELECT * FROM layout_options WHERE field_id LIKE "%' OR %" OR field_id LIKE "%--%" OR field_id LIKE "%;--%";
- Checking for errors or unusual logs in the application logs that indicate SQL syntax errors related to patient selection queries.
Additionally, verifying the OpenEMR version can be done by checking the application version or the version file to ensure it is 8.0.0.3 or later, which contains the patch.