CVE-2026-33915

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR, a free and open source electronic health records and medical practice management application, has an issue where certain REST API routes related to insurance companies lack proper authorization checks. Specifically, the RestConfig::request authorization check() call is missing from five insurance company REST API routes. This allows authenticated API users to create and modify insurance company records, even if their OpenEMR user account lacks the necessary administrative permissions. The affected API endpoints are not explicitly listed. The vulnerable functionality involves the modification of insurance company records.

Recommendations Update to version 8.0.0.3 or later.