CVE-2026-33913
XXE Vulnerability in OpenEMR Carecoordination Allows Arbitrary File Read
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with access to the Carecoordination module in OpenEMR to read arbitrary files from the server by uploading a crafted CCDA document. Since OpenEMR is an electronic health records and medical practice management application, unauthorized access to server files could lead to exposure of sensitive patient data.
Such unauthorized data access can negatively impact compliance with regulations like GDPR and HIPAA, which require strict protection of personal and health information. The ability to read arbitrary files may result in breaches of confidentiality and data protection requirements mandated by these standards.
The issue is patched in version 8.0.0.3 of OpenEMR.
Can you explain this vulnerability to me?
This vulnerability exists in OpenEMR versions prior to 8.0.0.3. An authenticated user who has access to the Carecoordination module can upload a specially crafted CCDA document containing an XML inclusion tag that references local files on the server, such as <xi:include href="file:///etc/passwd" parse="text"/>. This allows the attacker to read arbitrary files from the server.
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to read arbitrary files on the server hosting OpenEMR. This can lead to exposure of sensitive system files or data, potentially compromising the confidentiality of the server environment and patient information stored on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenEMR to version 8.0.0.3 or later, as this version patches the issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your OpenEMR installation is running a vulnerable version (prior to 8.0.0.3) and if the Carecoordination module is enabled. Since the exploit involves uploading a crafted CCDA XML document containing an <xi:include> element referencing local files, monitoring for such uploads or suspicious XML content in the Carecoordination module can help detect exploitation attempts.
To detect if the vulnerable code is present, you can inspect the source code file `src/Services/Cda/XmlExtended.php` for the presence of the `LIBXML_XINCLUDE` flag in the XMLReader initialization calls. For example, look for lines containing `LIBXML_XINCLUDE` in the methods `fromFile()` and `fromString()`.
Suggested commands to check for the vulnerable code in the OpenEMR installation directory:
- grep -r LIBXML_XINCLUDE src/Services/Cda/XmlExtended.php
- grep -r '<xi:include' /path/to/openemr/uploads/ccda/
Additionally, monitoring database tables such as `audit_details` for unexpected content that may include file contents can indicate exploitation.
If you have access to the OpenEMR Docker development environment or a test environment, you can attempt to reproduce the issue by uploading a crafted CCDA XML file containing an <xi:include> element referencing a local file (e.g., `/etc/passwd`) and then checking if the file content appears in the application or database.