CVE-2026-33918
Received Received - Intake
Insecure Direct Object Reference in OpenEMR Billing Endpoint Allows PHI Exposure

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user β€” regardless of whether they have billing privileges β€” to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33918
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33918 is a high-severity missing authorization vulnerability in OpenEMR versions up to 8.0.0.2. It affects the billing file-download endpoint at interface/billing/get_claim_file.php, which only checks for a valid session and CSRF token but does not enforce Access Control List (ACL) permissions.

This flaw allows any authenticated OpenEMR user, regardless of billing privileges, to download and permanently delete electronic claim batch files containing protected health information (PHI) such as patient names, dates of birth, diagnoses, procedure codes, and insurance identifiers.

The vulnerability exists because while UI pages linking to this endpoint enforce billing ACL checks, the endpoint itself does not, enabling direct URL access to bypass restrictions. Files can be enumerated due to predictable filenames, but path traversal is prevented.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows any authenticated OpenEMR user to download and permanently delete electronic claim batch files containing protected health information (PHI), such as patient names, dates of birth, diagnoses, procedure codes, and insurance identifiers.

Because PHI is exposed without proper access control, this vulnerability can lead to unauthorized disclosure and deletion of sensitive health data, which is a violation of privacy and security requirements mandated by regulations like HIPAA.

Such unauthorized access and potential data loss undermine compliance with standards that require strict protection of personal health information, including GDPR and HIPAA, potentially resulting in legal and regulatory consequences for affected organizations.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure and deletion of sensitive billing data containing protected health information (PHI).

An attacker with any authenticated OpenEMR account can download and delete electronic claim batch files, potentially exposing patient information and disrupting billing workflows.

The impact includes high confidentiality loss, low integrity loss, and low availability loss, which can affect the trustworthiness and availability of billing data.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring access to the billing file-download endpoint at interface/billing/get_claim_file.php. Since the vulnerability allows any authenticated user to download or delete claim batch files without proper ACL checks, suspicious activity may include unexpected access or deletion of files from this endpoint.

To detect exploitation attempts, you can look for HTTP requests to the vulnerable endpoint, especially those including the delete=1 parameter which triggers file deletion.

  • Use web server access logs to search for requests to interface/billing/get_claim_file.php, for example:
  • grep 'get_claim_file.php' /var/log/apache2/access.log
  • Look for requests with the delete=1 parameter indicating file deletion attempts:
  • grep 'get_claim_file.php.*delete=1' /var/log/apache2/access.log

Additionally, monitoring for authenticated users without billing privileges accessing this endpoint can indicate exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched by adding proper Access Control List (ACL) checks to the get_claim_file.php endpoint.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint by limiting authenticated user permissions or by network controls such as firewall rules to prevent unauthorized users from accessing interface/billing/get_claim_file.php.

Additionally, verify that CSRF tokens are properly validated on requests to this endpoint to prevent unauthorized actions.

Review user roles and permissions to ensure only users with billing privileges have access to billing-related functions.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart