{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33302", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.428Z", "datePublished": "2026-03-19T20:23:17.172Z", "dateUpdated": "2026-03-20T20:20:42.266Z"}, "containers": {"cna": {"title": "OpenEMR: zhAclCheck Ignores Explicit ACL Denies", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m"}, {"name": "https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:23:17.172Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any \"allow\" (user or group). It never checks for explicit \"deny\" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to \"deny\"; if the user is in a group that has \"allow,\" access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-v68v-pwc4-8p2m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:20:32.279983Z", "id": "CVE-2026-33302", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:20:42.266Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33302", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T20:20:32.279983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:20:37.131Z"}}], "cna": {"title": "OpenEMR: zhAclCheck Ignores Explicit ACL Denies", "source": {"advisory": "GHSA-v68v-pwc4-8p2m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.2"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4", "name": "https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any \"allow\" (user or group). It never checks for explicit \"deny\" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to \"deny\"; if the user is in a group that has \"allow,\" access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:23:17.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33302", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:20:42.266Z", "dateReserved": "2026-03-18T18:55:47.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T20:23:17.172Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34", "versionEndExcluding": "8.0.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any \"allow\" (user or group). It never checks for explicit \"deny\" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to \"deny\"; if the user is in a group that has \"allow,\" access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-33302", "lastModified": "2026-03-20T15:53:44.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:11.380", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-19T21:50:51.482367+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenEMR 8.0.0.2 or later, which includes the fix that enforces explicit denies.", "After upgrading, review ACL configurations to ensure deny entries are now respected by the system.", "Audit system logs for any unauthorized access that may have occurred before the upgrade.", "If an upgrade is not immediately possible, restrict ACL editing permissions to a minimal set of trusted administrators until a patch can be applied.", "Continuously monitor OpenEMR security advisories and apply any subsequent patches promptly."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects all OpenEMR installations running a version earlier than 8.0.0.2. The impacted product is openemr:openemr. Vendor notes state that any build up to and including 8.0.0.1 is affected; no specific sub\u2011version list is provided beyond the version cutoff.", "description_and_impact": "OpenEMR\u2019s AclMain::zhAclCheck() function in versions prior to 8.0.0.2 incorrectly evaluates ACL entries. The function only checks for the presence of an \"allow\" entry and never inspects explicit \"deny\" entries (allow=0). Because of the ignored denies, a user who belongs to a group that has an allow entry can still access resources even if the user or that group is explicitly denied. This flaw allows privileged users to bypass intended access restrictions and consequently gain unauthorized access to protected data or functions. The weakness is classified as CWE\u2011863, indicating insufficient access control checks.", "risk_and_exploitability": "The CVSS score is 7.3, denoting a high severity vulnerability. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a remote authenticated web request to the OpenEMR application; an attacker must have the ability to modify ACLs (admin or equivalent). Once the ACL filter is bypassed, the attacker can retrieve or manipulate protected information. Because the flaw resides in server\u2011side logic, it does not require additional network services or located vulnerabilities; exploiting it only requires valid credentials with ACL management permissions. The automated exploitation potential is limited, but the impact of unauthorized access is significant."}}}}, "created": "2026-03-20T08:56:18.988345+00:00", "updated": "2026-03-20T11:06:29.001846+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}