CVE-2026-25476
Received Received - Intake
Session Timeout Bypass in OpenEMR Allows Persistent Unauthorized Access

Publication date: 2026-02-25

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire block that calls `SessionTracker::isSessionExpired()` and forces logout on timeout is skipped. As a result, any request that includes this parameter (e.g. from auto-refresh pages like the Patient Flow Board) never runs the expiration check: expired sessions can continue to access data indefinitely, abandoned workstations stay active, and an attacker with a stolen session cookie can keep sending `skip_timeout_reset=1` to avoid being logged out. Version 8.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-28
Generated
2026-05-07
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25476
EUVD
EUVD-2026-8706
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-25476 is a vulnerability in OpenEMR versions prior to 8.0.0 related to improper session expiration handling. The issue arises because when a request includes the parameter `skip_timeout_reset=1`, the system completely skips the session expiration check that normally forces a logout if the session has expired.

This means that expired sessions can continue to access data indefinitely, as the expiration check is bypassed. This flaw allows attackers with stolen session cookies to maintain unauthorized access by continuously sending requests with this parameter, preventing forced logout.

The vulnerability was fixed by changing the code logic so that the session expiration check always runs regardless of the presence of `skip_timeout_reset`. Now, `skip_timeout_reset` only controls whether the session expiration timer is reset, not whether the expiration check is performed.


How can this vulnerability impact me? :

This vulnerability can have serious security impacts by allowing expired sessions to remain active indefinitely. This means that unauthorized users, such as attackers with stolen session cookies, can maintain access to sensitive patient data without being logged out.

Additionally, abandoned workstations remain active beyond intended timeout policies, increasing the risk of unauthorized data access.

Overall, it undermines session timeout controls designed to protect confidentiality and can lead to exposure of protected health information (PHI).


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability violates session termination requirements mandated by regulations such as HIPAA. By allowing sessions to remain active indefinitely, it undermines critical security controls designed to protect patient data confidentiality.

This failure to enforce session expiration can lead to unauthorized access to protected health information (PHI), putting organizations at risk of non-compliance with HIPAA and potentially other privacy regulations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the OpenEMR system that include the parameter `skip_timeout_reset=1`. Such requests bypass the session expiration check, allowing expired sessions to remain active.'}, {'type': 'paragraph', 'content': 'A practical detection method is to analyze web server logs or network traffic for requests containing `skip_timeout_reset=1`. This can indicate attempts to exploit the vulnerability or the presence of sessions that are not properly expiring.'}, {'type': 'paragraph', 'content': 'For example, you can use the following command to search for such requests in your web server access logs:'}, {'type': 'list_item', 'content': "grep 'skip_timeout_reset=1' /path/to/openemr/access.log"}, {'type': 'paragraph', 'content': 'Additionally, to verify the vulnerability, you can perform a proof of concept by setting a short session timeout (e.g., 2 minutes), allowing the session to expire, then accessing a protected page with and without the `skip_timeout_reset=1` parameter. If the session remains active with the parameter, the system is vulnerable.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability has been fixed.

The fix ensures that the session expiration check always runs regardless of the presence of the `skip_timeout_reset` parameter, preventing expired sessions from remaining active.

If upgrading immediately is not possible, consider implementing temporary controls such as:

  • Monitoring and blocking requests that include the `skip_timeout_reset=1` parameter at the web application firewall or reverse proxy level.
  • Reducing session timeout durations to limit the window of exposure.
  • Enforcing strict session management policies and regularly auditing active sessions.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart