Executive Summary

CVE-2026-25476 is a vulnerability in OpenEMR versions prior to 8.0.0 related to improper session expiration handling. The issue arises because when a request includes the parameter `skip_timeout_reset=1`, the system completely skips the session expiration check that normally forces a logout if the session has expired.

This means that expired sessions can continue to access data indefinitely, as the expiration check is bypassed. This flaw allows attackers with stolen session cookies to maintain unauthorized access by continuously sending requests with this parameter, preventing forced logout.

The vulnerability was fixed by changing the code logic so that the session expiration check always runs regardless of the presence of `skip_timeout_reset`. Now, `skip_timeout_reset` only controls whether the session expiration timer is reset, not whether the expiration check is performed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts by allowing expired sessions to remain active indefinitely. This means that unauthorized users, such as attackers with stolen session cookies, can maintain access to sensitive patient data without being logged out.

Additionally, abandoned workstations remain active beyond intended timeout policies, increasing the risk of unauthorized data access.

Overall, it undermines session timeout controls designed to protect confidentiality and can lead to exposure of protected health information (PHI).

Useful 0 Not Useful 0

Compliance Impact

The vulnerability violates session termination requirements mandated by regulations such as HIPAA. By allowing sessions to remain active indefinitely, it undermines critical security controls designed to protect patient data confidentiality.

This failure to enforce session expiration can lead to unauthorized access to protected health information (PHI), putting organizations at risk of non-compliance with HIPAA and potentially other privacy regulations.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the OpenEMR system that include the parameter `skip_timeout_reset=1`. Such requests bypass the session expiration check, allowing expired sessions to remain active.'}, {'type': 'paragraph', 'content': 'A practical detection method is to analyze web server logs or network traffic for requests containing `skip_timeout_reset=1`. This can indicate attempts to exploit the vulnerability or the presence of sessions that are not properly expiring.'}, {'type': 'paragraph', 'content': 'For example, you can use the following command to search for such requests in your web server access logs:'}, {'type': 'list_item', 'content': "grep 'skip_timeout_reset=1' /path/to/openemr/access.log"}, {'type': 'paragraph', 'content': 'Additionally, to verify the vulnerability, you can perform a proof of concept by setting a short session timeout (e.g., 2 minutes), allowing the session to expire, then accessing a protected page with and without the `skip_timeout_reset=1` parameter. If the session remains active with the parameter, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability has been fixed.

The fix ensures that the session expiration check always runs regardless of the presence of the `skip_timeout_reset` parameter, preventing expired sessions from remaining active.

If upgrading immediately is not possible, consider implementing temporary controls such as:

• Monitoring and blocking requests that include the `skip_timeout_reset=1` parameter at the web application firewall or reverse proxy level.
• Reducing session timeout durations to limit the window of exposure.
• Enforcing strict session management policies and regularly auditing active sessions.

Useful 0 Not Useful 0