CVE-2026-25124

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Versions of the application prior to 8.0.0 contain an access control flaw. This flaw allows users with limited privileges, such as receptionists, to export a complete message list that includes sensitive patient and user data. The issue is located in the message list.php report export functionality, which lacks proper permission checks before executing database queries. The existing CSRF token verification is insufficient to prevent unauthorized data access if the token is compromised.

Recommendations Update to version 8.0.0 or later.