CVE-2026-33305

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. A flaw exists where an authorization bypass in the optional FaxSMS module (oe-module-faxsms) allows authenticated users to invoke controller methods, including getNotificationLog(), without proper access control checks. The AppDispatch constructor bypasses ACL enforcement, potentially exposing patient appointment data (PHI).

Recommendations Update to OpenEMR version 8.0.0.2 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-696

Related Identifiers

BDU:2026-05093

CVE-2026-33305

GHSA-R973-H5CQ-35RC

Affected Products

Faxsms Module

Openemr

CVE-2026-33305

Weakness Enumeration

Related Identifiers

Affected Products

References · 9