{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33305", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.428Z", "datePublished": "2026-03-19T20:30:57.300Z", "dateUpdated": "2026-03-21T03:31:08.059Z"}, "containers": {"cna": {"title": "OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor", "problemTypes": [{"descriptions": [{"cweId": "CWE-696", "lang": "en", "description": "CWE-696: Incorrect Behavior Order", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc"}, {"name": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:30:57.300Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods \u2014 including `getNotificationLog()`, which returns patient appointment data (PHI) \u2014 regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-r973-h5cq-35rc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:30:52.867142Z", "id": "CVE-2026-33305", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:31:08.059Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33305", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:30:52.867142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:31:01.543Z"}}], "cna": {"title": "OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor", "source": {"advisory": "GHSA-r973-h5cq-35rc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.2"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11", "name": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods \u2014 including `getNotificationLog()`, which returns patient appointment data (PHI) \u2014 regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-696", "description": "CWE-696: Incorrect Behavior Order"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:30:57.300Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33305", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:31:08.059Z", "dateReserved": "2026-03-18T18:55:47.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T20:30:57.300Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34", "versionEndExcluding": "8.0.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods \u2014 including `getNotificationLog()`, which returns patient appointment data (PHI) \u2014 regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-33305", "lastModified": "2026-03-20T15:05:28.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:11.863", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-696"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-20T16:29:11.936683+00:00", "value": {"mitigation_remediation": ["Apply the latest OpenEMR patch (8.0.0.2 or later).", "If upgrading is not immediately possible, disable the FaxSMS module or restrict its use through ACLs.", "Verify that getNotificationLog is no longer callable by users without permission.", "Monitor application logs for suspicious notification log calls."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access to PHI"}, "threat_synthesis": {"affected_systems": "All installations of OpenEMR running versions prior to 8.0.0.2, including those that include the FaxSMS optional module, are affected. The issue is limited to the FaxSMS module and does not impact the core OpenEMR functionality. Versions 8.0.0.2 and later contain the necessary fix.", "description_and_impact": "OpenEMR's optional FaxSMS module contains an authorization bypass in the AppDispatch constructor. The constructor accepts actions supplied by an authenticated user and exits before any calling code can enforce ACL checks. Consequently, methods such as getNotificationLog() can be invoked by any authenticated user, exposing patient appointment data that is considered PHI. The flaw lies entirely in the lack of permission verification, allowing unauthorized disclosure of confidential health information.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.4, classifying it as a medium severity issue. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Attack requires the attacker to be an authenticated user within the OpenEMR system; no remote code execution or privilege escalation is possible. Because the flaw allows the retrieval of PHI without proper authorization, the potential impact on confidentiality is significant for affected users."}}}}, "created": "2026-03-20T08:56:14.322150+00:00", "updated": "2026-03-25T11:55:02.046448+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}