CVE-2026-25220 – OpenEMR Messages “Show All” Not Restricted to Admins

CVE ID : CVE-2026-25220

Published : Feb. 25, 2026, 6:25 p.m. | 43 minutes ago

Description : OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The “Show All” link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…