Main Vulnerability Database Vulnerabilities #VU128547

Incorrect authorization in OpenEMR - CVE-2026-33302

Published: April 30, 2026

Vulnerability identifier: #VU128547

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33302

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to bypass authorization restrictions.

The vulnerability exists due to incorrect authorization in AclMain::zhAclCheck() when evaluating module ACL permissions. A remote user can rely on a group "allow" entry while an explicit user or group "deny" exists to bypass authorization restrictions.

Exploitation requires authentication and that the affected feature uses module ACL checks through zhAclCheck().

How to mitigate CVE-2026-33302

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m

Incorrect authorization in OpenEMR - CVE-2026-33302

Detailed vulnerability description

How to mitigate CVE-2026-33302

Sources

Please verify you're human