Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire block that calls `SessionTracker::isSessionExpired()` and forces logout on timeout is skipped. As a result, any request that includes this parameter (e.g. from auto-refresh pages like the Patient Flow Board) never runs the expiration check: expired sessions can continue to access data indefinitely, abandoned workstations stay active, and an attacker with a stolen session cookie can keep sending `skip_timeout_reset=1` to avoid being logged out. Version 8.0.0 fixes the issue.
Published: 2026-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Session Timeout Bypass allowing attackers to maintain access with stolen session cookies
Action: Immediate Patch
AI Analysis

Impact

The affected code checks for the presence of the query parameter skip_timeout_reset; if present, the session expiration logic is skipped. This permits any request that includes skip_timeout_reset=1 to bypass the normal timeout and keep an expired session alive. An attacker in possession of a session cookie can repeatedly add this parameter to requests and continue to read or modify protected data indefinitely, and unattended workstations remain logged in.

Affected Systems

OpenEMR products prior to version 8.0.0 are vulnerable. The issue was present in all releases before the 8.x line, and the fix is included starting with OpenEMR 8.0.0.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, yet the EPSS score of less than 1% suggests exploitation is currently unlikely. Because the flaw relies on a controllable HTTP request parameter, a remote attacker who has obtained a session cookie can exploit it from any location, regardless of network segmentation. As the vulnerability is not listed in the CISA KEV catalog, there are no known large‑scale exploits yet, but the potential for data leakage remains significant.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEMR 8.0.0 or later.
  • If an upgrade is not immediately feasible, block or remove support for the skip_timeout_reset parameter in the application or via web server rules to prevent bypassing of the expiration check.
  • Ensure session cookie invalidation occurs after a chosen idle timeout or at server shutdown, and routinely audit active sessions.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire block that calls `SessionTracker::isSessionExpired()` and forces logout on timeout is skipped. As a result, any request that includes this parameter (e.g. from auto-refresh pages like the Patient Flow Board) never runs the expiration check: expired sessions can continue to access data indefinitely, abandoned workstations stay active, and an attacker with a stolen session cookie can keep sending `skip_timeout_reset=1` to avoid being logged out. Version 8.0.0 fixes the issue.
Title OpenEMR has Session Timeout Bypass via skip_timeout_reset
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:04:10.627Z

Reserved: 2026-02-02T16:31:35.820Z

Link: CVE-2026-25476

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:22.157

Modified: 2026-02-28T00:42:46.193

Link: CVE-2026-25476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses