Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.

INFO

Published Date :

2026-03-25T23:35:06.883Z

Last Modified :

2026-03-26T18:09:09.836Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33918 vulnerability.

Vendors Products
Open-emr
  • Openemr
Openemr
  • Openemr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33918.

URL Resource
https://github.com/openemr/openemr/commit/f6d98d0102df0a8f131be560d9208fb65fba6188 cve-icon cve-icon
https://github.com/openemr/openemr/releases/tag/v8_0_0_3 cve-icon cve-icon
https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact