Home / Vulnerability Intelligence / CVE-2026-33931

CVE-2026-33931 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: March 26, 2026

OpenEMR - Broken Access Control

Published: March 26, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0.3 contains an insecure direct object reference caused by improper access control on the patient portal payment page, letting authenticated portal patients access other patients' payment records by manipulating the recid parameter.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated patients can access other patients' sensitive payment and billing information, risking privacy and data confidentiality.

Mitigation

Upgrade to version 8.0.0.3 or later.

References

https://github.com/openemr/openemr/commit/7bf30e0ec5587f80c19094d58df09d46ac328806
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
https://github.com/openemr/openemr/security/advisories/GHSA-hf37-5rp9-j27j

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33931
Severity: Medium
CVSS Score: 6.5
Type: broken_access_control
Status: confirmed

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N