CVE-2026-33915
Received Received - Intake
Authorization Bypass in OpenEMR Insurance API Allows Data Modification

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33915
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33915 is a moderate severity vulnerability in the OpenEMR electronic health records software affecting versions prior to 8.0.0.3. The issue arises because five insurance company REST API routes lack proper authorization checks that are normally required to control access. Specifically, these routes do not call the necessary function to verify if a user has the correct permissions before allowing data modifications.

As a result, any authenticated API userβ€”even those with minimal permissionsβ€”can create or modify insurance company records, which include sensitive administrative data such as company name, address, CMS ID, and X12 receiver ID. This missing authorization check violates the intended access control policies.

Impact Analysis

This vulnerability allows any authenticated user of the OpenEMR API to create or modify insurance company records without having the necessary administrative permissions. This can lead to unauthorized changes in sensitive insurance data that affect billing workflows and insurance claim processing.

Such unauthorized modifications could disrupt normal operations, cause billing errors, or lead to incorrect insurance claim submissions, potentially impacting financial and operational aspects of a healthcare organization.

Detection Guidance

This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0.3 and by testing the affected insurance company REST API routes for missing authorization checks.

Specifically, you can attempt to access or modify insurance company records via the following API endpoints using an authenticated user account with minimal permissions:

  • GET /api/insurance_company
  • GET /api/insurance_company/:iid
  • GET /api/insurance_type
  • POST /api/insurance_company
  • PUT /api/insurance_company/:iid

If these routes allow creation or modification of insurance company records without proper administrative ACL permissions, the vulnerability is present.

Example commands using curl to test unauthorized access might include:

  • curl -X GET -H "Authorization: Bearer <token>" https://<openemr-host>/api/insurance_company
  • curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"name":"Test Insurance"}' https://<openemr-host>/api/insurance_company

Replace <token> with an authenticated user's token who does not have admin ACL permissions. Successful modification or creation indicates the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched.

The patch adds proper authorization checks to the affected insurance company REST API routes, enforcing ACL permissions consistent with other administrative endpoints.

  • For GET routes, authorization checks require "acct" and "bill" permissions.
  • For POST and PUT routes, stricter authorization checks require "acct" and "bill" permissions with write access.

If upgrading immediately is not possible, restrict access to the affected API endpoints to trusted users only, and monitor API usage closely for unauthorized modifications.

Compliance Impact

This vulnerability allows any authenticated API user to create and modify insurance company records without proper administrative permissions. These records include sensitive administrative data such as company name, address, CMS ID, and X12 receiver ID, which are critical for billing workflows and insurance claim processing.

Because the vulnerability involves missing authorization checks, it can lead to unauthorized modification of sensitive healthcare-related data, potentially violating data protection and privacy requirements mandated by standards like HIPAA and GDPR.

The lack of proper access control could result in unauthorized data exposure or alteration, which may compromise patient and organizational data integrity and confidentiality, thereby affecting compliance with regulations that require strict access controls and auditability.

The patch introduced in version 8.0.0.3 enforces authorization checks on these API routes, aligning the software with best practices for access control and helping to maintain compliance with relevant healthcare data protection standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33915. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart