Unrated severityNVD Advisory· Published Mar 25, 2026· Updated Mar 26, 2026
OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures
CVE-2026-33934
Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in portal/sign/lib/show-signature.php that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary user value in the POST body. The companion write endpoint (save-signature.php) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/openemr/openemr/commit/ae7ee1872d2e6300b165e24687cc90cf6847a4e5mitrex_refsource_MISC
- github.com/openemr/openemr/releases/tag/v8_0_0_3mitrex_refsource_MISC
- github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657qmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.