CVE-2026-25476

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check within the library/auth.inc.php file could be bypassed. Specifically, when the skip timeout reset parameter is set to '1' in a request, the session expiration check, including the call to the SessionTracker::isSessionExpired() function, is skipped. This allows expired sessions to remain active, potentially enabling an attacker with a stolen session cookie to maintain access indefinitely by continuously including the skip timeout reset=1 parameter in their requests.

Recommendations Update to version 8.0.0 or later.