CVE-2026-33917
SQL Injection in OpenEMR CAMOS Form Allows Data Manipulation
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, data modification, and potential disruption of service. Because it is a high-severity SQL injection flaw, an attacker with valid authentication can exploit it to execute arbitrary SQL commands.
- Unauthorized data access, including extraction of sensitive information such as usernames and hashed passwords.
- Data integrity compromise by modifying or deleting records in the database.
- Potential denial of service or availability issues by executing disruptive SQL commands.
- Possibility of server-side code execution in some cases.
Can you explain this vulnerability to me?
CVE-2026-33917 is a SQL injection vulnerability in OpenEMR versions prior to 8.0.0.3, specifically in the ajax_save functionality of the CAMOS form. The issue arises because user-supplied input, particularly interval values used in SQL date arithmetic functions, is not properly validated or sanitized before being included in SQL queries.
The vulnerability allows authenticated attackers to inject malicious SQL code by manipulating the day interval values in commands like date_add or date_sub embedded in the content parameter. This happens because the input was previously only passed through a custom escaping function which was insufficient, allowing SQL injection attacks.
The fix involved changing the input handling to strictly cast the interval values to integers before using them in SQL queries, preventing injection of arbitrary SQL code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing attempts to exploit the SQL injection in the ajax_save CAMOS form, specifically targeting the content parameter with crafted inputs that manipulate SQL date arithmetic functions.
An example detection method involves monitoring HTTP requests to the ajax_save.php endpoint for suspicious payloads containing commands like /* date_add::X */ or /* date_sub::X */ with unusual or malicious interval values.
A practical approach is to use curl commands to test the vulnerability by submitting specially crafted inputs to the ajax_save.php page and observing the response for SQL errors or delays indicating SQL injection.
- Use curl to send a payload with a crafted content parameter to ajax_save.php to check for SQL injection, for example: curl -X POST -d 'content=/* date_add::1 */' http://<target>/interface/forms/CAMOS/ajax_save.php
- Look for SQL syntax errors or time delays in responses that may indicate exploitation attempts, such as boolean-based blind SQL injection or time-based delays using SQL SLEEP() functions.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched by enforcing strict input validation and casting interval parameters to integers.
If updating immediately is not possible, restrict access to the vulnerable ajax_save CAMOS form to trusted authenticated users only, and monitor for suspicious activity targeting this endpoint.
Additionally, review and apply any available security advisories and patches related to OpenEMR to ensure all known vulnerabilities are addressed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in OpenEMR prior to version 8.0.0.3 allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized access, modification, or extraction of sensitive patient data.
Such unauthorized access and data breaches can compromise the confidentiality, integrity, and availability of protected health information (PHI), which are core requirements under regulations like HIPAA.
Failure to protect patient data from such vulnerabilities may result in non-compliance with HIPAA's Security Rule and could also violate GDPR requirements related to data protection and breach notification.
Therefore, this vulnerability poses a significant risk to compliance with common healthcare data protection standards and regulations.