CVE-2026-25220

Summary

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter show_all=yes and passes it to getPnotesByUser(), which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring show_all=yes. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting messages.php?show_all=yes. Version 8.0.0 patches the issue.

Affected Software

VendorProductVersion RangeStatus
openemropenemr< 8.0.0affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References