Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
OpenEMR: Unrestricted access to sensitive billing files
CVE-2026-33918
Summary
OpenEMR's billing file-download feature had a security weakness allowing authorized users without billing privileges to access and delete sensitive files containing patient health information. This has been fixed in version 8.0.0.3. Upgrade to this version to ensure secure access to billing files.
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_fi...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue.
nvd CVSS3.1
7.6
Vulnerability type
CWE-862
Missing Authorization
Published: 26 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026