{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.820Z", "datePublished": "2026-02-25T18:28:29.881Z", "dateUpdated": "2026-02-26T16:04:10.627Z"}, "containers": {"cna": {"title": "OpenEMR has Session Timeout Bypass via skip_timeout_reset", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33"}, {"name": "https://github.com/openemr/openemr/commit/02a6a7793402b10356a94626d78e0e1069e92a77", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/02a6a7793402b10356a94626d78e0e1069e92a77"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T18:28:29.881Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire block that calls `SessionTracker::isSessionExpired()` and forces logout on timeout is skipped. As a result, any request that includes this parameter (e.g. from auto-refresh pages like the Patient Flow Board) never runs the expiration check: expired sessions can continue to access data indefinitely, abandoned workstations stay active, and an attacker with a stolen session cookie can keep sending `skip_timeout_reset=1` to avoid being logged out. Version 8.0.0 fixes the issue."}], "source": {"advisory": "GHSA-gx7q-6fhr-5h33", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T16:04:05.332969Z", "id": "CVE-2026-25476", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:04:10.627Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire block that calls `SessionTracker::isSessionExpired()` and forces logout on timeout is skipped. As a result, any request that includes this parameter (e.g. from auto-refresh pages like the Patient Flow Board) never runs the expiration check: expired sessions can continue to access data indefinitely, abandoned workstations stay active, and an attacker with a stolen session cookie can keep sending `skip_timeout_reset=1` to avoid being logged out. Version 8.0.0 fixes the issue."}], "id": "CVE-2026-25476", "lastModified": "2026-02-28T00:42:46.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T19:43:22.157", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/02a6a7793402b10356a94626d78e0e1069e92a77"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-04-17T15:02:11.855303+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenEMR 8.0.0 or later.", "If an upgrade is not immediately feasible, block or remove support for the skip_timeout_reset parameter in the application or via web server rules to prevent bypassing of the expiration check.", "Ensure session cookie invalidation occurs after a chosen idle timeout or at server shutdown, and routinely audit active sessions."], "summary": {"action": "Immediate Patch", "impact": "Session Timeout Bypass allowing attackers to maintain access with stolen session cookies"}, "threat_synthesis": {"affected_systems": "OpenEMR products prior to version 8.0.0 are vulnerable. The issue was present in all releases before the 8.x line, and the fix is included starting with OpenEMR 8.0.0.", "description_and_impact": "The affected code checks for the presence of the query parameter skip_timeout_reset; if present, the session expiration logic is skipped. This permits any request that includes skip_timeout_reset=1 to bypass the normal timeout and keep an expired session alive. An attacker in possession of a session cookie can repeatedly add this parameter to requests and continue to read or modify protected data indefinitely, and unattended workstations remain logged in.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, yet the EPSS score of less than 1% suggests exploitation is currently unlikely. Because the flaw relies on a controllable HTTP request parameter, a remote attacker who has obtained a session cookie can exploit it from any location, regardless of network segmentation. As the vulnerability is not listed in the CISA KEV catalog, there are no known large\u2011scale exploits yet, but the potential for data leakage remains significant."}}}}, "created": "2026-02-26T13:15:07.658649+00:00", "updated": "2026-04-17T15:15:21.818524+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}