CVE-2026-33302

HighPublic PoC

Published: 19 March 2026

Published

19 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0011 29.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any "allow" (user or group). It never checks for explicit "deny"…

(allowed=0). As a result, administrators cannot revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved access authorizations, directly addressing OpenEMR's ACL function failure to respect explicit deny settings.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of software flaws, such as patching OpenEMR to 8.0.0.2 to fix the authorization defect.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege to limit unauthorized access scope even if ACL enforcement is bypassed, reducing confidentiality and integrity impacts.

Security SummaryAI

CVE-2026-33302 is a vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. In versions prior to 8.0.0.2, the ACL module's `AclMain::zhAclCheck()` function fails to properly enforce access control by only checking for the presence of any "allow" setting on a user or group, while ignoring explicit "deny" settings (allowed=0). This allows access to be granted if a user belongs to any group with an "allow," overriding administrator-intended denies. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over network (AV:N) with low complexity and no user interaction required. If an administrator attempts to revoke access by setting an explicit deny on the user or their group, but the user remains in another group with an "allow," the vulnerability permits unauthorized access. This results in high confidentiality (C:H) and integrity (I:H) impacts, potentially allowing the attacker to view or modify sensitive electronic health records and medical data beyond their intended permissions, while availability remains unaffected (A:N).

The OpenEMR security advisory (GHSA-v68v-pwc4-8p2m) and corresponding fix in commit 0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4 confirm that upgrading to version 8.0.0.2 resolves the issue by ensuring explicit denies are properly evaluated in the ACL check. Security practitioners should prioritize patching affected OpenEMR instances and review existing ACL configurations to verify enforcement of denies after remediation.

Details

CWE(s): CWE-863

Affected Products

open-emr

openemr

≤ 8.0.0.2

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The ACL bypass in OpenEMR's authorization check allows low-privileged (PR:L) authenticated users to override explicit denies and gain unauthorized access to confidential data and modification capabilities (C:H/I:H), exploiting a software vulnerability for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4
Patch · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m
Exploit, Vendor Advisory · security-advisories@github.com