Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
Published: 2026-02-25
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Internal Messages
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from the Message Center accepting the URL parameter show_all and passing it to the backend function getPnotesByUser() which returns all internal messages without verifying that the requester is an administrator. As a result, any authenticated user can view the entire internal message list by requesting messages.php?show_all=yes, exposing confidential communications intended only for authorized personnel. This flaw corresponds to CWE‑639: Privilege Mismatch.

Affected Systems

Affected installations are all OpenEMR versions older than 8.0.0. The issue is present in the product from the openemr vendor and is not listed for any other software in the CVE record.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate impact. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Likely an attacker must be an authenticated user with access to the OpenEMR web interface; the exploit would involve sending a request to messages.php?show_all=yes. Because the flaw is an information disclosure that does not require elevated privileges beyond authentication, the risk is moderate but still requires remediation.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEMR version 8.0.0 or later, which removes the show_all functionality.
  • If an upgrade is not feasible, modify the Message Center to enforce an administrative check before calling getPnotesByUser and disallow the show_all parameter for non‑administrator sessions.
  • Remove or hide the 'Show All' link on the front end for users without administrator privileges to prevent accidental exploitation.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
Title OpenEMR Messages "Show All" Not Restricted to Admins
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:12:36.374Z

Reserved: 2026-01-30T14:44:47.326Z

Link: CVE-2026-25220

cve-icon Vulnrichment

Updated: 2026-02-26T16:12:17.442Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:21.993

Modified: 2026-02-27T14:41:14.847

Link: CVE-2026-25220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses