CVE-2026-33917
Received Received - Intake
SQL Injection in OpenEMR CAMOS Form Allows Data Manipulation

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax_save page in the CAMOS form. Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33917
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33917 is a SQL injection vulnerability in OpenEMR versions prior to 8.0.0.3, specifically in the ajax_save functionality of the CAMOS form. The issue arises because user-supplied input, particularly interval values used in SQL date arithmetic functions, is not properly validated or sanitized before being included in SQL queries.

The vulnerability allows authenticated attackers to inject malicious SQL code by manipulating the day interval values in commands like date_add or date_sub embedded in the content parameter. This happens because the input was previously only passed through a custom escaping function which was insufficient, allowing SQL injection attacks.

The fix involved changing the input handling to strictly cast the interval values to integers before using them in SQL queries, preventing injection of arbitrary SQL code.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data, data modification, and potential disruption of service. Because it is a high-severity SQL injection flaw, an attacker with valid authentication can exploit it to execute arbitrary SQL commands.

  • Unauthorized data access, including extraction of sensitive information such as usernames and hashed passwords.
  • Data integrity compromise by modifying or deleting records in the database.
  • Potential denial of service or availability issues by executing disruptive SQL commands.
  • Possibility of server-side code execution in some cases.
Detection Guidance

This vulnerability can be detected by observing attempts to exploit the SQL injection in the ajax_save CAMOS form, specifically targeting the content parameter with crafted inputs that manipulate SQL date arithmetic functions.

An example detection method involves monitoring HTTP requests to the ajax_save.php endpoint for suspicious payloads containing commands like /* date_add::X */ or /* date_sub::X */ with unusual or malicious interval values.

A practical approach is to use curl commands to test the vulnerability by submitting specially crafted inputs to the ajax_save.php page and observing the response for SQL errors or delays indicating SQL injection.

  • Use curl to send a payload with a crafted content parameter to ajax_save.php to check for SQL injection, for example: curl -X POST -d 'content=/* date_add::1 */' http://<target>/interface/forms/CAMOS/ajax_save.php
  • Look for SQL syntax errors or time delays in responses that may indicate exploitation attempts, such as boolean-based blind SQL injection or time-based delays using SQL SLEEP() functions.
Mitigation Strategies

The immediate and recommended mitigation step is to update OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched by enforcing strict input validation and casting interval parameters to integers.

If updating immediately is not possible, restrict access to the vulnerable ajax_save CAMOS form to trusted authenticated users only, and monitor for suspicious activity targeting this endpoint.

Additionally, review and apply any available security advisories and patches related to OpenEMR to ensure all known vulnerabilities are addressed.

Compliance Impact

The SQL injection vulnerability in OpenEMR prior to version 8.0.0.3 allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized access, modification, or extraction of sensitive patient data.

Such unauthorized access and data breaches can compromise the confidentiality, integrity, and availability of protected health information (PHI), which are core requirements under regulations like HIPAA.

Failure to protect patient data from such vulnerabilities may result in non-compliance with HIPAA's Security Rule and could also violate GDPR requirements related to data protection and breach notification.

Therefore, this vulnerability poses a significant risk to compliance with common healthcare data protection standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart