Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue.

INFO

Published Date :

2026-03-19T20:30:57.300Z

Last Modified :

2026-03-21T03:31:08.059Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33305 vulnerability.

Vendors Products
Open-emr
  • Openemr
Openemr
  • Openemr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33305.

URL Resource
https://github.com/openemr/openemr/commit/edb65936e259b2625e8eea4628316c4577cb2a11 cve-icon cve-icon
https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact