CVE-2026-33934
Missing Authorization Allows Signature Disclosure in OpenEMR Portal
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33934 is an authorization bypass vulnerability in OpenEMR versions prior to 8.0.0.3 affecting the patient portal's signature retrieval functionality.
Specifically, the file `portal/sign/lib/show-signature.php` lacks proper authorization checks, allowing any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST request body.
While the write endpoint (`save-signature.php`) was already protected against this issue, the read endpoint was not updated accordingly, enabling unauthorized access.
This means a patient portal user can bypass intended access controls and view sensitive signature images and staff names by manipulating request parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated patient portal user to access the drawn signature images and full names of staff members without proper authorization. Such unauthorized disclosure of staff signatures and personal information represents a breach of confidentiality.
Since OpenEMR is an electronic health records system, unauthorized access to staff signatures and names could lead to violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.
The vulnerability enables a crossover from patient data access to clinical/staff data, undermining the principle of least privilege and potentially exposing sensitive information that should be protected under these regulations.
How can this vulnerability impact me? :
This vulnerability allows an authenticated patient portal user to bypass authorization controls and access sensitive staff data, specifically the drawn signature images and full names of staff members.
Because staff user IDs are sequential integers, an attacker can enumerate multiple staff signatures easily.
The impact includes unauthorized disclosure of confidential clinical/staff information, which could lead to privacy violations and potential misuse of staff signatures.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating a network attack vector with low complexity and low privileges required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/portal/sign/lib/show-signature.php` where the POST body contains arbitrary or unexpected `user` values, especially with the `type` parameter set to `admin-signature` or other staff signature types.
A practical detection method is to capture and analyze HTTP POST requests to this endpoint from authenticated patient portal users and check if the `user` parameter is being manipulated to access other users' signatures.
Example commands to detect such activity include using network traffic inspection tools like `tcpdump` or `tshark` to filter HTTP POST requests to the vulnerable endpoint, or using web server logs to search for suspicious POST requests.
- Using tcpdump to capture POST requests to the vulnerable endpoint: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'POST /portal/sign/lib/show-signature.php'
- Using grep on web server logs to find suspicious POST requests: grep 'POST /portal/sign/lib/show-signature.php' /var/log/apache2/access.log | grep 'user='
- Using tshark to filter HTTP POST requests to the endpoint: tshark -Y 'http.request.method == "POST" && http.request.uri contains "/portal/sign/lib/show-signature.php"'
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched by adding proper authorization checks in the `show-signature.php` file.
If upgrading immediately is not possible, restrict access to the vulnerable endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized POST requests to `/portal/sign/lib/show-signature.php`.
Additionally, monitor and audit patient portal user activity for suspicious attempts to access staff signatures by manipulating the `user` or `type` parameters.
Ensure that patient portal users have only the minimum required privileges and consider temporarily disabling the patient portal if the risk is high and no patch is available.