CVE-2026-33302

UNKNOWN 0.0

OpenEMR: zhAclCheck Ignores Explicit ACL Denies

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

11th

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any "allow" (user or group). It never checks for explicit "deny" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue.

CWE	CWE-863
Vendor	openemr
Product	openemr
Published	Mar 19, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for openemr openemr

Be the first to know when new unknown vulnerabilities affecting openemr openemr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

openemr / openemr

< 8.0.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m github.com: https://github.com/openemr/openemr/commit/0ef9b1763029e52d43fcb4fd0ebb0769a7ec43d4