CVE-2026-25220 – This vulnerability in OpenEMR allows any authen... (How to Fix)

Q: What is the severity of CVE-2026-25220?

CVE-2026-25220 has a CVSS score of 6.5 (MEDIUM). This vulnerability in OpenEMR allows any authenticated user to view all internal messages in the Message Center by accessing messages.php?show_all=yes. The application fails to verify administrative privileges before honoring the show_all parameter. All OpenEMR installations prior to version 8.0.0 are affected.

📋 TL;DR

This vulnerability in OpenEMR allows any authenticated user to view all internal messages in the Message Center by accessing messages.php?show_all=yes. The application fails to verify administrative privileges before honoring the show_all parameter. All OpenEMR installations prior to version 8.0.0 are affected.

💻 Affected Systems

Products:

OpenEMR

Versions: All versions prior to 8.0.0

Operating Systems: All platforms running OpenEMR

Default Config Vulnerable: ⚠️ Yes

Notes: All standard OpenEMR installations with Message Center functionality enabled are vulnerable. The vulnerability requires authentication but no special privileges.

📦 What is this software?

Openemr by Open Emr

View all CVEs affecting Openemr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could access sensitive patient communications, medical notes, and internal staff messages, potentially leading to privacy violations, regulatory penalties, and reputational damage.

🟠

Likely Case

Authenticated users (including patients or non-clinical staff) could inadvertently or intentionally view confidential medical communications they shouldn't have access to.

🟢

If Mitigated

With proper access controls, only authorized administrative users can view all messages, maintaining confidentiality of sensitive medical communications.

🌐 Internet-Facing: HIGH if the OpenEMR instance is exposed to the internet, as any authenticated user (including patients with portal access) could exploit this vulnerability.

🏢 Internal Only: MEDIUM for internal networks, as exploitation still requires authentication but could be performed by any authenticated user within the organization.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is trivial - simply append ?show_all=yes to the messages.php URL. The GitHub advisory includes details and the patch shows the exact vulnerable code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.0

Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-phcp-7qjx-83cm

Restart Required: No

Instructions:

1. Backup your OpenEMR installation and database. 2. Download OpenEMR version 8.0.0 or later from the official repository. 3. Follow the OpenEMR upgrade documentation to apply the update. 4. Verify the fix by testing the Message Center functionality.

🔧 Temporary Workarounds

Remove Show All Link for Non-Admins

all

Modify the Message Center interface to hide the 'Show All' link for non-administrative users

Edit the relevant PHP files to add role-based checks before displaying the Show All link

Parameter Validation Middleware

all

Add server-side validation to reject show_all=yes parameter from non-admin users

Add role checking in messages.php before processing the show_all parameter

🧯 If You Can't Patch

Implement strict access controls and monitor Message Center access logs for unauthorized show_all parameter usage
Consider disabling the Message Center functionality temporarily if not critical for operations

🔍 How to Verify

Check if Vulnerable:

As an authenticated non-admin user, access http://[openemr-url]/interface/main/messages/messages.php?show_all=yes. If you can see messages from all users, the system is vulnerable.

Check Version:

Check the OpenEMR version in the interface footer or examine the version.php file in the installation directory

Verify Fix Applied:

After patching, attempt the same URL as a non-admin user. You should only see your own messages, not all users' messages.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to messages.php with show_all=yes parameter from non-admin user accounts
Unusual access patterns to Message Center from non-clinical staff

Network Indicators:

GET requests containing 'show_all=yes' in the query string

SIEM Query:

source="web_logs" AND url="*messages.php*" AND query="*show_all=yes*" AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2026-25220

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/openemr/openemr/commit/9f2c44fc88fc051fcf0b6922c373977543e6b2af Patch
https://github.com/openemr/openemr/security/advisories/GHSA-phcp-7qjx-83cm Exploit,Vendor Advisory
https://github.com/openemr/openemr/security/advisories/GHSA-phcp-7qjx-83cm Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25220, you might also want to check these: