CVE-2026-25476 – OpenEMR versions before 8.0.0 have a session ex... (How to Fix)

Q: What is the severity of CVE-2026-25476?

CVE-2026-25476 has a CVSS score of 7.5 (HIGH). OpenEMR versions before 8.0.0 have a session expiration bypass vulnerability. Attackers can send a specific parameter (skip_timeout_reset=1) to prevent session timeout checks, allowing stolen session cookies to remain active indefinitely. This affects all OpenEMR installations using vulnerable versions.

📋 TL;DR

OpenEMR versions before 8.0.0 have a session expiration bypass vulnerability. Attackers can send a specific parameter (skip_timeout_reset=1) to prevent session timeout checks, allowing stolen session cookies to remain active indefinitely. This affects all OpenEMR installations using vulnerable versions.

💻 Affected Systems

Products:

OpenEMR

Versions: All versions prior to 8.0.0

Operating Systems: All operating systems running OpenEMR

Default Config Vulnerable: ⚠️ Yes

Notes: All OpenEMR installations using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Openemr by Open Emr

View all CVEs affecting Openemr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with stolen session cookies gain persistent unauthorized access to patient health records, potentially leading to data theft, unauthorized modifications, and HIPAA violations.

🟠

Likely Case

Abandoned workstations remain logged in, allowing unauthorized access to patient data by anyone with physical access. Stolen sessions can be maintained indefinitely.

🟢

If Mitigated

With proper session management controls and monitoring, impact is limited to temporary unauthorized access until sessions naturally expire or are manually terminated.

🌐 Internet-Facing: HIGH - Any internet-facing OpenEMR instance is vulnerable to session hijacking attacks where stolen cookies can be maintained indefinitely.

🏢 Internal Only: MEDIUM - Internal attackers or malware with stolen session cookies can maintain persistent access, but requires initial session compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a stolen session cookie, but once obtained, maintaining access is trivial by simply including skip_timeout_reset=1 in requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.0

Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33

Restart Required: Yes

Instructions:

1. Backup your OpenEMR installation and database. 2. Download OpenEMR version 8.0.0 or later. 3. Follow the official upgrade instructions at https://www.open-emr.org/wiki/index.php/Upgrading_OpenEMR. 4. Restart your web server. 5. Verify the fix by checking that skip_timeout_reset parameter no longer bypasses session expiration.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize requests containing skip_timeout_reset parameter

WAF-specific configuration required

Session Timeout Reduction

all

Reduce global session timeout to minimize exposure window

Modify $GLOBALS['session_timeout'] in globals.php to lower value

🧯 If You Can't Patch

Implement strict session management policies including automatic logout after inactivity
Deploy network monitoring to detect unusual session patterns and block requests with skip_timeout_reset parameter

🔍 How to Verify

Check if Vulnerable:

Check if your OpenEMR version is below 8.0.0 by viewing the version in the footer or checking the CHANGES file. Also test if adding ?skip_timeout_reset=1 to any URL prevents session timeout.

Check Version:

grep -i 'version' /path/to/openemr/interface/login/login.php | head -1

Verify Fix Applied:

After upgrading to 8.0.0+, verify that adding ?skip_timeout_reset=1 to URLs no longer prevents session expiration. Sessions should still timeout according to configured settings.

📡 Detection & Monitoring

Log Indicators:

Multiple requests with skip_timeout_reset=1 parameter from same session over extended periods
Sessions remaining active beyond configured timeout periods

Network Indicators:

HTTP requests containing skip_timeout_reset=1 parameter in query strings
Unusual session duration patterns

SIEM Query:

web.url:*skip_timeout_reset=1 AND NOT web.url:*logout* AND event.duration > 3600

📊 Metadata

CVE ID: CVE-2026-25476

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-613

Published: February 25, 2026

Last Updated: February 28, 2026

🔗 References

https://github.com/openemr/openemr/commit/02a6a7793402b10356a94626d78e0e1069e92a77 Patch
https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33 Exploit,Vendor Advisory
https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25476, you might also want to check these: