CVE-2026-33918

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0.3 lack proper access control checks on the billing file-download endpoint, specifically interface/billing/get claim file.php. This allows any authenticated user, regardless of their assigned billing privileges, to download and delete electronic claim batch files containing protected health information (PHI). The application only verifies the presence of a valid session and CSRF token, failing to confirm appropriate access permissions.

Recommendations Update to version 8.0.0.3 or later.