CVE-2026-33934
Received Received - Intake
Missing Authorization Allows Signature Disclosure in OpenEMR Portal

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33934
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows any authenticated patient portal user to access the drawn signature images and full names of staff members without proper authorization. Such unauthorized disclosure of staff signatures and personal information represents a breach of confidentiality.

Since OpenEMR is an electronic health records system, unauthorized access to staff signatures and names could lead to violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

The vulnerability enables a crossover from patient data access to clinical/staff data, undermining the principle of least privilege and potentially exposing sensitive information that should be protected under these regulations.

Executive Summary

CVE-2026-33934 is an authorization bypass vulnerability in OpenEMR versions prior to 8.0.0.3 affecting the patient portal's signature retrieval functionality.

Specifically, the file `portal/sign/lib/show-signature.php` lacks proper authorization checks, allowing any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST request body.

While the write endpoint (`save-signature.php`) was already protected against this issue, the read endpoint was not updated accordingly, enabling unauthorized access.

This means a patient portal user can bypass intended access controls and view sensitive signature images and staff names by manipulating request parameters.

Impact Analysis

This vulnerability allows an authenticated patient portal user to bypass authorization controls and access sensitive staff data, specifically the drawn signature images and full names of staff members.

Because staff user IDs are sequential integers, an attacker can enumerate multiple staff signatures easily.

The impact includes unauthorized disclosure of confidential clinical/staff information, which could lead to privacy violations and potential misuse of staff signatures.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating a network attack vector with low complexity and low privileges required.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/portal/sign/lib/show-signature.php` where the POST body contains arbitrary or unexpected `user` values, especially with the `type` parameter set to `admin-signature` or other staff signature types.

A practical detection method is to capture and analyze HTTP POST requests to this endpoint from authenticated patient portal users and check if the `user` parameter is being manipulated to access other users' signatures.

Example commands to detect such activity include using network traffic inspection tools like `tcpdump` or `tshark` to filter HTTP POST requests to the vulnerable endpoint, or using web server logs to search for suspicious POST requests.

  • Using tcpdump to capture POST requests to the vulnerable endpoint: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'POST /portal/sign/lib/show-signature.php'
  • Using grep on web server logs to find suspicious POST requests: grep 'POST /portal/sign/lib/show-signature.php' /var/log/apache2/access.log | grep 'user='
  • Using tshark to filter HTTP POST requests to the endpoint: tshark -Y 'http.request.method == "POST" && http.request.uri contains "/portal/sign/lib/show-signature.php"'
Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched by adding proper authorization checks in the `show-signature.php` file.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized POST requests to `/portal/sign/lib/show-signature.php`.

Additionally, monitor and audit patient portal user activity for suspicious attempts to access staff signatures by manipulating the `user` or `type` parameters.

Ensure that patient portal users have only the minimum required privileges and consider temporarily disabling the patient portal if the risk is high and no patch is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart