CVE-2026-33304 Overview
OpenEMR is a free and open source electronic health records (EHR) and medical practice management application widely used by healthcare organizations. An authorization bypass vulnerability exists in the dated reminders log functionality that allows any authenticated non-admin user to view reminder messages belonging to other users. This includes access to associated patient names and free-text message content by crafting a GET request with arbitrary user IDs in the sentTo[] or sentBy[] parameters.
Critical Impact
This vulnerability enables horizontal privilege escalation, allowing authenticated users to access sensitive patient health information (PHI) and private communications belonging to other users within the healthcare system.
Affected Products
- OpenEMR versions prior to 8.0.0.2
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-33304 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-33304
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, also known as Insecure Direct Object Reference (IDOR). The dated reminders log functionality in OpenEMR fails to properly validate that non-admin users can only access their own reminder messages. The vulnerable endpoint at interface/main/dated_reminders/dated_reminders_log.php accepts user-supplied sentTo[] and sentBy[] parameters without verifying the requesting user has authorization to view messages for those user IDs.
An attacker with any authenticated non-admin account can enumerate user IDs and retrieve reminder messages containing protected health information (PHI), violating HIPAA compliance requirements and exposing sensitive patient data.
Root Cause
The root cause lies in insufficient authorization checks in the dated reminders log functionality. The original code only set default values for sentTo and sentBy parameters when they were empty, but did not enforce that non-admin users could only access their own data. This allowed non-admin users to override these parameters with arbitrary user IDs to access other users' reminder messages.
Attack Vector
The vulnerability is exploitable over the network by any authenticated non-admin user. An attacker can craft a malicious GET request to the dated reminders log endpoint, injecting arbitrary user IDs into the sentTo[] or sentBy[] parameters. No special privileges beyond basic authentication are required, and no user interaction is needed. The attack can be automated to enumerate all user IDs and extract all reminder messages in the system.
// Security patch from interface/main/dated_reminders/dated_reminders_log.php
// Source: https://github.com/openemr/openemr/commit/21dee7658a5f3b18c5750e3fae7324e875c1703a
}
if (!$isAdmin) {
- if (empty($_GET['sentBy']) and empty($_GET['sentTo'])) {
- $_GET['sentTo'] = [intval($_SESSION['authUserID'])];
- }
+ // Force non-admin users to only see their own reminders,
+ // regardless of any user-supplied sentBy/sentTo parameters.
+ $currentUser = [intval($_SESSION['authUserID'])];
+ $_GET['sentBy'] = $currentUser;
+ $_GET['sentTo'] = $currentUser;
}
$remindersArray = [];
The patch enforces that non-admin users can only view their own reminders by overwriting any user-supplied sentBy and sentTo parameters with the current user's ID, regardless of what values were submitted in the request.
Detection Methods for CVE-2026-33304
Indicators of Compromise
- HTTP GET requests to /interface/main/dated_reminders/dated_reminders_log.php containing sentTo[] or sentBy[] parameters with user IDs different from the authenticated user
- Unusual access patterns from non-admin accounts requesting dated reminders log with varying user ID parameters
- Sequential or enumerated user ID values in the sentTo[] or sentBy[] parameters indicating automated scanning
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests with manipulated sentTo[] or sentBy[] parameters from non-admin users
- Enable detailed access logging for the dated reminders log endpoint and monitor for anomalous access patterns
- Deploy application-layer intrusion detection to identify parameter tampering attempts on sensitive healthcare endpoints
Monitoring Recommendations
- Monitor authentication logs for users accessing the dated reminders functionality with abnormal frequency
- Configure alerts for GET requests to the vulnerable endpoint that contain multiple or foreign user IDs in the request parameters
- Review access logs for attempts to enumerate user IDs through the reminders log functionality
How to Mitigate CVE-2026-33304
Immediate Actions Required
- Upgrade OpenEMR to version 8.0.0.2 or later immediately
- Review access logs for any evidence of exploitation prior to patching
- Audit reminder message access to identify potential data breaches
- Notify affected parties and compliance officers if unauthorized access to PHI is detected
Patch Information
OpenEMR has released version 8.0.0.2 which includes a fix for this vulnerability. The patch ensures that non-admin users can only access their own reminder messages by forcing the sentBy and sentTo parameters to the current user's ID, regardless of any user-supplied values. Details are available in the GitHub Security Advisory GHSA-66j9-ffq4-h222 and the commit fix.
Workarounds
- If immediate patching is not possible, restrict access to the dated reminders log functionality to admin users only at the web server level
- Implement network segmentation to limit who can access the OpenEMR application
- Deploy a web application firewall with rules to strip or block sentTo[] and sentBy[] parameters from non-admin user requests
# Example Apache configuration to restrict access to the vulnerable endpoint
<Location "/interface/main/dated_reminders/dated_reminders_log.php">
# Restrict to admin group only until patch is applied
Require group openemr-admins
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
