CVE-2026-33917 Overview
CVE-2026-33917 is a SQL injection vulnerability affecting OpenEMR, a free and open source electronic health records (EHR) and medical practice management application. Versions prior to 8.0.0.3 contain a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax_save page within the CAMOS form component.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to potentially access, modify, or delete sensitive patient health records and other critical medical data stored in the OpenEMR database.
Affected Products
- OpenEMR versions prior to 8.0.0.3
- open-emr openemr (all versions before patch)
Discovery Timeline
- 2026-03-26 - CVE-2026-33917 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33917
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) affects the CAMOS (Computer-Aided Medical Ordering System) form functionality within OpenEMR. The flaw specifically impacts the content_parser.php file in the interface/forms/CAMOS/ directory. Authenticated users with access to the CAMOS form can inject malicious SQL statements through unsanitized user input.
The vulnerability allows attackers with valid credentials to manipulate database queries, potentially leading to unauthorized data access, data modification, or complete database compromise. Given that OpenEMR handles highly sensitive protected health information (PHI), exploitation could result in HIPAA compliance violations and significant data breaches affecting patient privacy.
Root Cause
The root cause is insufficient input validation and improper sanitization of user-supplied data in the addAppt function within content_parser.php. Specifically, the $days parameter was being passed to the SQL query using the add_escape_custom() function, which was inadequate for preventing SQL injection in numeric contexts. The parameter was being concatenated directly into the SQL query string without proper type casting.
Attack Vector
The attack is network-accessible and requires low privileges (authenticated user access). An attacker with valid OpenEMR credentials can exploit this vulnerability by:
- Accessing the CAMOS form functionality within the OpenEMR interface
- Submitting crafted input containing SQL injection payloads through the ajax_save endpoint
- Manipulating the days parameter to inject arbitrary SQL commands
- Potentially extracting sensitive patient data, modifying records, or escalating privileges within the database
The following code shows the security patch that addresses this vulnerability:
require_once(__DIR__ . "/../../../library/api.inc.php");
require_once(__DIR__ . "/../../forms/vitals/C_FormVitals.class.php");
-function addAppt($days, $time)
+function addAppt(string $days, $time)
{
$sql = "insert into openemr_postcalendar_events (pc_pid, pc_eventDate," .
- "pc_comments, pc_aid,pc_startTime) values (?, date_add(current_date(), interval " . add_escape_custom($days) .
+ "pc_comments, pc_aid,pc_startTime) values (?, date_add(current_date(), interval " . (int) $days .
" day),'from CAMOS', ?, ?)";
return sqlInsert($sql, [$_SESSION['pid'], $_SESSION['authUserID'], $time]);
}
Source: GitHub Commit
The patch addresses the vulnerability by:
- Adding strict type declaration (string $days) to the function parameter
- Casting the $days variable to an integer using (int) before concatenation, ensuring only numeric values can be used in the SQL query
Detection Methods for CVE-2026-33917
Indicators of Compromise
- Unusual SQL error messages in OpenEMR application logs related to the CAMOS form
- Unexpected database queries containing SQL injection patterns in database audit logs
- Anomalous access patterns to the ajax_save endpoint in the CAMOS form module
- Evidence of data exfiltration or unauthorized database modifications
Detection Strategies
- Monitor web application logs for requests to /interface/forms/CAMOS/ containing SQL injection patterns such as UNION SELECT, OR 1=1, or comment sequences
- Implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting OpenEMR endpoints
- Review database audit logs for queries with unusual structures or unauthorized data access patterns
- Deploy intrusion detection systems (IDS) with signatures for SQL injection attack patterns
Monitoring Recommendations
- Enable detailed logging for all CAMOS form interactions and database queries
- Configure alerts for failed authentication attempts followed by SQL-related errors
- Monitor for unusual volume of requests to the ajax_save CAMOS endpoint
- Implement database activity monitoring to detect anomalous query patterns or data access
How to Mitigate CVE-2026-33917
Immediate Actions Required
- Upgrade OpenEMR to version 8.0.0.3 or later immediately
- Audit database logs for any evidence of prior exploitation
- Review user accounts with access to CAMOS forms for unauthorized activity
- Implement network segmentation to limit access to OpenEMR servers
Patch Information
OpenEMR has released version 8.0.0.3 which patches this vulnerability. The fix involves proper type casting of the $days parameter to an integer before SQL query construction, eliminating the SQL injection vector.
Workarounds
- Restrict access to the CAMOS form module to only essential personnel until patching is complete
- Implement web application firewall rules to filter SQL injection patterns in requests to OpenEMR
- Consider temporarily disabling the CAMOS form functionality if not critical to operations
- Apply network-level access controls to limit exposure of the OpenEMR application
# Example: Restrict access to CAMOS forms via Apache configuration
<Directory "/var/www/openemr/interface/forms/CAMOS">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
