CVE-2026-33305 OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module oe-module-faxsms allows any authenticated OpenEMR user to invoke controller methods — including getNotificationLog, whic...

CVE-2026-33305

OpenEMR (prior to 8.0.0.2) exposes an authorization bypass in the optional FaxSMS app: the AppDispatch constructor dispatches user-controlled actions, allowing any authenticated user to invoke controller methods (e.g., getNotificationLog) and access PHI without the required ACLs. The issue affect...

CVE-2026-33305 OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module oe-module-faxsms allows any authenticated OpenEMR user to invoke controller methods — including getNotificationLog, whic...

PT-2026-26347

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module oe-module-faxsms allows any authenticated OpenEMR user to invoke controller methods — including getNotificationLog, whic...