CVE-2026-25220
OpenEMR Messages "Show All" Not Restricted to Admins
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all usersβ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
| CWE | CWE-639 |
| Vendor | openemr |
| Product | openemr |
| Published | Feb 25, 2026 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for openemr openemr
Be the first to know when new unknown vulnerabilities affecting openemr openemr are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
openemr / openemr
< 8.0.0