CVE-2026-33934

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. A missing authorization check exists in portal/sign/lib/show-signature.php, allowing authenticated patient portal users to access the signature image of any staff member by manipulating the user parameter in the POST request. The save-signature.php endpoint was previously secured against this issue, but the show-signature.php endpoint remained vulnerable. The vulnerable parameter is user.

Recommendations Update to version 8.0.0.3 or later.