Compliance Impact

This vulnerability allows any authenticated OpenEMR user to download and permanently delete electronic claim batch files containing protected health information (PHI), such as patient names, dates of birth, diagnoses, procedure codes, and insurance identifiers.

Because PHI is exposed without proper access control, this vulnerability can lead to unauthorized disclosure and deletion of sensitive health data, which is a violation of privacy and security requirements mandated by regulations like HIPAA.

Such unauthorized access and potential data loss undermine compliance with standards that require strict protection of personal health information, including GDPR and HIPAA, potentially resulting in legal and regulatory consequences for affected organizations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33918 is a high-severity missing authorization vulnerability in OpenEMR versions up to 8.0.0.2. It affects the billing file-download endpoint at interface/billing/get_claim_file.php, which only checks for a valid session and CSRF token but does not enforce Access Control List (ACL) permissions.

This flaw allows any authenticated OpenEMR user, regardless of billing privileges, to download and permanently delete electronic claim batch files containing protected health information (PHI) such as patient names, dates of birth, diagnoses, procedure codes, and insurance identifiers.

The vulnerability exists because while UI pages linking to this endpoint enforce billing ACL checks, the endpoint itself does not, enabling direct URL access to bypass restrictions. Files can be enumerated due to predictable filenames, but path traversal is prevented.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure and deletion of sensitive billing data containing protected health information (PHI).

An attacker with any authenticated OpenEMR account can download and delete electronic claim batch files, potentially exposing patient information and disrupting billing workflows.

The impact includes high confidentiality loss, low integrity loss, and low availability loss, which can affect the trustworthiness and availability of billing data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring access to the billing file-download endpoint at interface/billing/get_claim_file.php. Since the vulnerability allows any authenticated user to download or delete claim batch files without proper ACL checks, suspicious activity may include unexpected access or deletion of files from this endpoint.

To detect exploitation attempts, you can look for HTTP requests to the vulnerable endpoint, especially those including the delete=1 parameter which triggers file deletion.

• Use web server access logs to search for requests to interface/billing/get_claim_file.php, for example:
• grep 'get_claim_file.php' /var/log/apache2/access.log
• Look for requests with the delete=1 parameter indicating file deletion attempts:
• grep 'get_claim_file.php.*delete=1' /var/log/apache2/access.log

Additionally, monitoring for authenticated users without billing privileges accessing this endpoint can indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched by adding proper Access Control List (ACL) checks to the get_claim_file.php endpoint.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint by limiting authenticated user permissions or by network controls such as firewall rules to prevent unauthorized users from accessing interface/billing/get_claim_file.php.

Additionally, verify that CSRF tokens are properly validated on requests to this endpoint to prevent unauthorized actions.

Review user roles and permissions to ensure only users with billing privileges have access to billing-related functions.

Useful 0 Not Useful 0