CVE-2026-25220
Received Received - Intake
Unauthorized Access in OpenEMR Message Center via URL Parameter

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25220
EUVD
EUVD-2026-8705
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The vulnerability in OpenEMR prior to version 8.0.0 involves an authorization bypass in the Message Center feature. Specifically, the URL parameter `show_all=yes` can be used by any authenticated user to view all internal messages across all users. This happens because the backend function `getPnotesByUser()` accepts the `show_all` parameter without verifying if the user has administrative privileges.'}, {'type': 'paragraph', 'content': "Although the 'Show All' link is intended only for administrators, it is visible and accessible to non-admin users, allowing them to trigger this parameter. As a result, non-admin users can bypass access controls and see all users' messages, including message titles, dates, assignees, and patient references."}, {'type': 'paragraph', 'content': "The issue was fixed in OpenEMR version 8.0.0 by forcing the `show_all` variable to be set to 'no' for non-admin users, ensuring that only administrators can view all messages."}] [1, 2]

Impact Analysis

This vulnerability allows any authenticated user, including non-administrators, to access all internal messages within the OpenEMR system. This means sensitive information such as message titles, dates, assignees, and patient references can be exposed to unauthorized users.

The exposure of protected health information (PHI) and internal communications can lead to privacy breaches, loss of trust, and potential legal consequences for organizations using OpenEMR.

Compliance Impact

[{'type': 'paragraph', 'content': "The vulnerability poses significant risks to compliance with regulations such as HIPAA because it allows unauthorized access to protected health information (PHI). Unauthorized disclosure of PHI violates HIPAA's privacy and security rules."}, {'type': 'paragraph', 'content': 'Such exposure can also impact compliance with other data protection regulations like GDPR, which require strict controls over personal data access and confidentiality.'}, {'type': 'paragraph', 'content': 'Therefore, this vulnerability undermines the confidentiality guarantees required by these standards and can lead to regulatory penalties and damage to organizational reputation.'}] [2]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if non-administrative users are able to access the URL parameter `show_all=yes` in the OpenEMR Message Center and retrieve all internal messages.'}, {'type': 'paragraph', 'content': "A simple test is to log in as a non-admin user and attempt to access the URL endpoint `messages.php?show_all=yes`. If the response returns messages beyond the authenticated user's own, the system is vulnerable."}, {'type': 'paragraph', 'content': 'From a network perspective, monitoring HTTP requests for the presence of the `show_all=yes` parameter in requests to `messages.php` by non-admin users can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to test the vulnerability include using curl or a browser with an authenticated session as a non-admin user:'}, {'type': 'list_item', 'content': 'curl -b cookies.txt "https://<openemr-host>/interface/main/messages/messages.php?show_all=yes"'}, {'type': 'list_item', 'content': 'Check the response for messages belonging to other users, indicating unauthorized access.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch enforces that the `show_all` parameter is forcibly set to "no" for non-admin users, preventing unauthorized access to all messages.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict access to the `messages.php` endpoint or implement additional access controls to prevent non-admin users from using the `show_all=yes` parameter.'}, {'type': 'paragraph', 'content': 'Additionally, review and monitor logs for any suspicious access patterns involving the `show_all=yes` parameter.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart