Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenEMR Prior to 8.0.0 Allows Unauthorized Access to Patient Data
CVE-2026-25124
Summary
OpenEMR, a free electronic health records system, had a security flaw that let unauthorized users, like receptionists, access sensitive patient and user data. This happened because the system didn't properly check permissions before showing this data. If you use OpenEMR, update to version 8.0.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that allows low-privileged users, such as receptionists, to export the entire message list containing sensitive patient and user data. The vulnerability lies in the message_list.php report export functionality, where there is no permission check before executing sensitive database queries. The only control in place is CSRF token verification, which does not prevent unauthorized data access if the token is acquired through other means. Version 8.0.0 fixes the vulnerability.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
- https://github.com/openemr/openemr/commit/ad902d6892482fff2e3c56bfb15597df8b6c3b... Patch
- https://github.com/openemr/openemr/security/advisories/GHSA-q7p5-rrwj-qmp2 Exploit Mitigation Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026