High-Severity SQL Injection Vulnerability in OpenEMR (CVE-2026-33917)

High-Severity SQL Injection Vulnerability in OpenEMR (CVE-2026-33917)

First seen 26 Mar 2026, 18:18 UTC FeedlyNvd.Nist 73% similarity 72.0

Article Content

Browse articles
ThreatCluster

A critical SQL injection vulnerability (CVE-2026-33917) has been identified in OpenEMR versions prior to 8.0.0.3, affecting the ajax_save CAMOS form. This vulnerability arises from insufficient input validation, allowing authenticated attackers to execute arbitrary database commands. The potential impact includes unauthorized access, modification, or deletion of sensitive patient records and electronic health records (EHR) data. The CVSS v3.1 base score for this vulnerability is 8.8, indicating high severity with significant implications for confidentiality, integrity, and availability. Multiple proof-of-concept exploits have been released, increasing the urgency for organizations to patch their systems. A security patch was made available on March 26, 2026, and users are advised to upgrade to version 8.0.0.3 or later. There is currently no evidence of exploitation in the wild, but the risk remains high due to the nature of the vulnerability. Organizations should prioritize patching and consider implementing additional access controls until updates are completed.

Key Points: • CVE-2026-33917 is a high-severity SQL injection vulnerability in OpenEMR. • Authenticated attackers can exploit this flaw to access sensitive patient data. • A patch for the vulnerability was released on March 26, 2026, and immediate upgrades are advised.

ThreatCluster AI

Timeline

2026-02-26
First public PoC for CVE-2026-33917 released
2026-03-25
CVE-2026-33917 published
2026-03-25
CVE-2026-33912 published
2026-03-26
Patch for CVE-2026-33917 released

Community

Browse all →