CVE-2026-25124
Access Control Bypass in OpenEMR Message Export Allows Data Exposure
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the message_list.php endpoint with the parameter form_csvexport=true, which triggers the export of sensitive message data.'}, {'type': 'paragraph', 'content': 'A proof of concept involves logging in as a low-privileged user, capturing a valid CSRF token, and sending a crafted POST request to message_list.php with form_csvexport=true to download a CSV file containing sensitive data.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can check web server logs for POST requests to interface/reports/message_list.php containing form_csvexport=true.'}, {'type': 'list_item', 'content': "Example command to search web server logs for suspicious export attempts: grep 'POST.*message_list.php' /var/log/apache2/access.log | grep 'form_csvexport=true'"}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems to alert on POST requests to message_list.php with form_csvexport=true parameter.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive patient and user information.
- Low-privileged users can export the entire message list containing sensitive data.
- Exposure includes internal communications between healthcare providers, message statuses, sender/receiver identities, timestamps, and message priorities.
Such unauthorized access can compromise patient privacy and confidentiality, potentially leading to data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-25124 is a broken access control vulnerability in OpenEMR versions prior to 8.0.0, specifically in the message_list.php report export functionality.
The flaw allows low-privileged users, such as receptionists, to export the entire message list containing sensitive patient and user data without proper permission checks.
The vulnerability exists because the export script processes CSV export requests without verifying if the user has the necessary access rights; it only verifies a CSRF token, which can be bypassed if the token is obtained by other means.
This results in unauthorized access to sensitive information including message details, patient data, and user data.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where the vulnerability is fixed by adding proper access control checks.
The fix involves implementing role-based access control using OpenEMRβs acl_check() function to verify user permissions before allowing export of message data.
Until the upgrade can be applied, restrict access to the message_list.php report export functionality to trusted users only, and monitor for suspicious export activity.
- Apply the official patch or update from OpenEMR that adds ACL checks and CSRF token verification.
- Limit user privileges to prevent low-privileged users from accessing message export features.