CVE-2026-25220

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center does not verify administrator privileges when handling the show all=yes URL parameter passed to the getPnotesByUser() function. This allows any authenticated user to view all internal messages by requesting the /messages.php?show all=yes API endpoint. The "Show All" link is visible to non-administrator users, enabling unauthorized access to internal messages.

Recommendations Update to version 8.0.0 or later.