CVE-2026-33915
Authorization Bypass in OpenEMR Insurance API Allows Data Modification
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated API user to create and modify insurance company records without proper administrative permissions. These records include sensitive administrative data such as company name, address, CMS ID, and X12 receiver ID, which are critical for billing workflows and insurance claim processing.
Because the vulnerability involves missing authorization checks, it can lead to unauthorized modification of sensitive healthcare-related data, potentially violating data protection and privacy requirements mandated by standards like HIPAA and GDPR.
The lack of proper access control could result in unauthorized data exposure or alteration, which may compromise patient and organizational data integrity and confidentiality, thereby affecting compliance with regulations that require strict access controls and auditability.
The patch introduced in version 8.0.0.3 enforces authorization checks on these API routes, aligning the software with best practices for access control and helping to maintain compliance with relevant healthcare data protection standards.
Can you explain this vulnerability to me?
CVE-2026-33915 is a moderate severity vulnerability in the OpenEMR electronic health records software affecting versions prior to 8.0.0.3. The issue arises because five insurance company REST API routes lack proper authorization checks that are normally required to control access. Specifically, these routes do not call the necessary function to verify if a user has the correct permissions before allowing data modifications.
As a result, any authenticated API userβeven those with minimal permissionsβcan create or modify insurance company records, which include sensitive administrative data such as company name, address, CMS ID, and X12 receiver ID. This missing authorization check violates the intended access control policies.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user of the OpenEMR API to create or modify insurance company records without having the necessary administrative permissions. This can lead to unauthorized changes in sensitive insurance data that affect billing workflows and insurance claim processing.
Such unauthorized modifications could disrupt normal operations, cause billing errors, or lead to incorrect insurance claim submissions, potentially impacting financial and operational aspects of a healthcare organization.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0.3 and by testing the affected insurance company REST API routes for missing authorization checks.
Specifically, you can attempt to access or modify insurance company records via the following API endpoints using an authenticated user account with minimal permissions:
- GET /api/insurance_company
- GET /api/insurance_company/:iid
- GET /api/insurance_type
- POST /api/insurance_company
- PUT /api/insurance_company/:iid
If these routes allow creation or modification of insurance company records without proper administrative ACL permissions, the vulnerability is present.
Example commands using curl to test unauthorized access might include:
- curl -X GET -H "Authorization: Bearer <token>" https://<openemr-host>/api/insurance_company
- curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"name":"Test Insurance"}' https://<openemr-host>/api/insurance_company
Replace <token> with an authenticated user's token who does not have admin ACL permissions. Successful modification or creation indicates the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched.
The patch adds proper authorization checks to the affected insurance company REST API routes, enforcing ACL permissions consistent with other administrative endpoints.
- For GET routes, authorization checks require "acct" and "bill" permissions.
- For POST and PUT routes, stricter authorization checks require "acct" and "bill" permissions with write access.
If upgrading immediately is not possible, restrict access to the affected API endpoints to trusted users only, and monitor API usage closely for unauthorized modifications.