CVE-2026-25220
Unauthorized Access in OpenEMR Message Center via URL Parameter
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The vulnerability in OpenEMR prior to version 8.0.0 involves an authorization bypass in the Message Center feature. Specifically, the URL parameter `show_all=yes` can be used by any authenticated user to view all internal messages across all users. This happens because the backend function `getPnotesByUser()` accepts the `show_all` parameter without verifying if the user has administrative privileges.'}, {'type': 'paragraph', 'content': "Although the 'Show All' link is intended only for administrators, it is visible and accessible to non-admin users, allowing them to trigger this parameter. As a result, non-admin users can bypass access controls and see all users' messages, including message titles, dates, assignees, and patient references."}, {'type': 'paragraph', 'content': "The issue was fixed in OpenEMR version 8.0.0 by forcing the `show_all` variable to be set to 'no' for non-admin users, ensuring that only administrators can view all messages."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user, including non-administrators, to access all internal messages within the OpenEMR system. This means sensitive information such as message titles, dates, assignees, and patient references can be exposed to unauthorized users.
The exposure of protected health information (PHI) and internal communications can lead to privacy breaches, loss of trust, and potential legal consequences for organizations using OpenEMR.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
[{'type': 'paragraph', 'content': "The vulnerability poses significant risks to compliance with regulations such as HIPAA because it allows unauthorized access to protected health information (PHI). Unauthorized disclosure of PHI violates HIPAA's privacy and security rules."}, {'type': 'paragraph', 'content': 'Such exposure can also impact compliance with other data protection regulations like GDPR, which require strict controls over personal data access and confidentiality.'}, {'type': 'paragraph', 'content': 'Therefore, this vulnerability undermines the confidentiality guarantees required by these standards and can lead to regulatory penalties and damage to organizational reputation.'}] [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if non-administrative users are able to access the URL parameter `show_all=yes` in the OpenEMR Message Center and retrieve all internal messages.'}, {'type': 'paragraph', 'content': "A simple test is to log in as a non-admin user and attempt to access the URL endpoint `messages.php?show_all=yes`. If the response returns messages beyond the authenticated user's own, the system is vulnerable."}, {'type': 'paragraph', 'content': 'From a network perspective, monitoring HTTP requests for the presence of the `show_all=yes` parameter in requests to `messages.php` by non-admin users can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to test the vulnerability include using curl or a browser with an authenticated session as a non-admin user:'}, {'type': 'list_item', 'content': 'curl -b cookies.txt "https://<openemr-host>/interface/main/messages/messages.php?show_all=yes"'}, {'type': 'list_item', 'content': 'Check the response for messages belonging to other users, indicating unauthorized access.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch enforces that the `show_all` parameter is forcibly set to "no" for non-admin users, preventing unauthorized access to all messages.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict access to the `messages.php` endpoint or implement additional access controls to prevent non-admin users from using the `show_all=yes` parameter.'}, {'type': 'paragraph', 'content': 'Additionally, review and monitor logs for any suspicious access patterns involving the `show_all=yes` parameter.'}] [1, 2]