OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter show_all=yes and passes it to getPnotesByUser(), which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring show_all=yes. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting messages.php?show_all=yes. Version 8.0.0 patches the issue.
{
"cwe_ids": [
"CWE-639"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25220.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}