Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that allows low-privileged users, such as receptionists, to export the entire message list containing sensitive patient and user data. The vulnerability lies in the message_list.php report export functionality, where there is no permission check before executing sensitive database queries. The only control in place is CSRF token verification, which does not prevent unauthorized data access if the token is acquired through other means. Version 8.0.0 fixes the vulnerability.
Published: 2026-02-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure
Action: Apply patch
AI Analysis

Impact

A broken access control flaw in OpenEMR's message_list.php report export allows users with low privileges, such as receptionists, to request a CSV download that retrieves the entire internal message list containing sensitive patient and user data. The flaw stems from the absence of a permission check before executing the database query; the only safeguard is CSRF token verification, which does not prevent unauthorized data gathering if a token can be obtained or forged.

Affected Systems

The vulnerability affects all OpenEMR releases prior to version 8.0.0 across all operating systems. Organizations running these older builds are at risk, irrespective of the underlying platform.

Risk and Exploitability

The assigned CVSS score of 6.5 places the issue in the medium severity category. EPSS indicates an exploitation probability below 1%, and the vulnerability is not listed in the CISA KEV catalog. An attacker would typically send a crafted request to message_list.php carrying a valid CSRF token and the low‑privilege user's permissions, triggering the export and leaking confidential data.

Generated by OpenCVE AI on April 18, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later to apply the official fix that adds proper permission checks.
  • After upgrading, audit and adjust role permissions so that only authorized users can access export reports; remove the export capability from low‑privileged roles.
  • If an upgrade cannot be performed immediately, disable the message list export functionality for low‑privilege accounts or implement an application‑level firewall rule to block message_list.php requests from those users.

Generated by OpenCVE AI on April 18, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that allows low-privileged users, such as receptionists, to export the entire message list containing sensitive patient and user data. The vulnerability lies in the message_list.php report export functionality, where there is no permission check before executing sensitive database queries. The only control in place is CSRF token verification, which does not prevent unauthorized data access if the token is acquired through other means. Version 8.0.0 fixes the vulnerability.
Title OpenEMR has Broken Access Control in Report/Clients/Message List CSV Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:50:25.100Z

Reserved: 2026-01-29T14:03:42.539Z

Link: CVE-2026-25124

cve-icon Vulnrichment

Updated: 2026-02-25T20:49:53.008Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T02:16:22.550

Modified: 2026-02-25T16:54:00.173

Link: CVE-2026-25124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses