CVE-2026-33914
Blind SQL Injection in OpenEMR PostCalendar Module Allows Data Deletion
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-33914 vulnerability in OpenEMR allows an authenticated administrator to execute arbitrary SQL commands, including unauthorized data extraction and deletion. Given that OpenEMR is an electronic health records system, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of sensitive health data.
Such unauthorized access and manipulation of protected health information can lead to non-compliance with regulations like HIPAA, which mandates strict safeguards for patient data privacy and security. Similarly, GDPR requires protection of personal data and breach notification, which could be triggered by exploitation of this vulnerability.
Therefore, this vulnerability undermines compliance with common standards and regulations by exposing sensitive health records to potential unauthorized access, modification, or deletion.
Can you explain this vulnerability to me?
CVE-2026-33914 is a high-severity blind SQL injection vulnerability found in the PostCalendar module of OpenEMR versions prior to 8.0.0.3. It occurs in the administrative function `categoriesUpdate` via the `dels` POST parameter. This parameter is processed by a function that only strips HTML tags but does not perform any SQL escaping or sanitization. The unsanitized `dels` value is directly inserted into a raw SQL DELETE statement executed by Doctrine DBAL's `executeStatement()` method without using parameterized queries or prepared statements, allowing an attacker to inject malicious SQL code.
The root causes include improper input sanitization and unsafe SQL query construction: the input cleaning function is designed to prevent HTML injection but does not escape SQL special characters, and the code concatenates the input directly into the SQL query string. This allows an authenticated administrator to execute arbitrary SQL commands, including time-based blind data extraction and deletion of arbitrary rows.
How can this vulnerability impact me? :
This vulnerability allows an authenticated administrator to execute arbitrary SQL commands on the OpenEMR database via the `dels` parameter. It enables time-based blind SQL injection attacks to extract sensitive data character-by-character by measuring response delays.
- Execution of arbitrary SQL commands.
- Extraction of sensitive database information through blind time-based techniques.
- Deletion of arbitrary rows across database tables by manipulating the SQL query.
- Potential execution of stacked queries depending on the database driver configuration.
Overall, this can lead to severe confidentiality, integrity, and availability impacts on the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `dels` POST parameter in the PostCalendar module's `categoriesUpdate` administrative function for blind SQL injection. A proof-of-concept involves sending crafted payloads in the `dels` parameter that induce delays using SQL SLEEP() calls and measuring response times to confirm the presence of a time-based blind SQL injection.
Detection commands or methods include sending POST requests with specially crafted `dels` values that contain SQL injection payloads designed to cause time delays, then observing if the server response times increase accordingly. This confirms the vulnerability.
For example, a Python script can be used to authenticate as an OpenEMR user and send these payloads to extract database information character-by-character by timing responses.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched.
If upgrading is not immediately possible, modify the vulnerable code to sanitize the `dels` POST parameter by parsing it into an array of integers and using parameterized queries or safely constructed SQL statements to prevent SQL injection.
- Parse the `dels` input by splitting on commas and applying `intval()` to each element to whitelist numeric IDs.
- Construct the SQL DELETE statement using the sanitized list of integers.
- Use parameterized queries or safe query execution methods such as `sqlStatement()` with bound parameters instead of direct string interpolation.
Example patched code replaces direct interpolation with sanitized input: `$safeDels = implode(',', array_map('intval', explode(',', $dels))); $delete = "DELETE FROM $pntable[postcalendar_categories] WHERE pc_catid IN ($safeDels)";`