CVE-2026-33934 MEDIUM

CVE-2026-33934: OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures

Vendor Openemr

Product openemr

Weakness CWE-639 · IDOR

Published March 25, 2026

Last update March 26, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.

Key dates

Disclosure timeline

March 25, 2026 CVE published

March 26, 2026 Record updated