Main Vulnerability Database Vulnerabilities #VU127325

Missing Authorization in OpenEMR - CVE-2026-33305

Published: April 23, 2026

Vulnerability identifier: #VU127325

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33305

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify configuration data.

The vulnerability exists due to missing authorization in the FaxSMS AppDispatch constructor and action dispatch mechanism when handling requests with the _ACTION_COMMAND parameter. A remote user can send a specially crafted request to disclose sensitive information and modify configuration data.

Only installations with the optional oe-module-faxsms module enabled are vulnerable.

How to mitigate CVE-2026-33305

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc

Missing Authorization in OpenEMR - CVE-2026-33305

Detailed vulnerability description

How to mitigate CVE-2026-33305

Sources

Please verify you're human