CVE-2026-33302

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. A flaw exists in the module Access Control List (ACL) function AclMain::zhAclCheck(). The function only verifies the existence of "allow" permissions for users or groups, neglecting to check for explicit "deny" permissions. This allows administrators to be unable to revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies.

Recommendations Update to version 8.0.0.2 or later.