Main Vulnerability Database Vulnerabilities #VU127355

Missing Authorization in OpenEMR - CVE-2026-33915

Published: April 23, 2026

Vulnerability identifier: #VU127355

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33915

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to modify insurance company records.

The vulnerability exists due to missing authorization in insurance company REST API routes when handling authenticated API requests to the insurance company endpoints. A remote user can send crafted API requests to modify insurance company records.

The affected routes also expose insurance company data and insurance types without the expected administrative ACL checks.

How to mitigate CVE-2026-33915

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp

Missing Authorization in OpenEMR - CVE-2026-33915

Detailed vulnerability description

How to mitigate CVE-2026-33915

Sources

Please verify you're human