CVE-2026-24898
Received Received - Intake
Unauthenticated Token Disclosure in OpenEMR MedEx Callback Endpoint

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-04
Generated
2026-05-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24898
EUVD
EUVD-2026-9328
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in OpenEMR versions prior to 8.0.0 and involves an unauthenticated token disclosure in the MedEx callback endpoint.

Because the endpoint bypasses authentication and performs a MedEx login when a specific callback key is provided, any unauthenticated visitor can obtain the practice's MedEx API tokens.

These tokens are returned in the full JSON response, exposing sensitive credentials.


How can this vulnerability impact me? :

The vulnerability can lead to complete compromise of third-party services integrated via MedEx.

  • Exfiltration of Protected Health Information (PHI).
  • Unauthorized actions on the MedEx platform using stolen API tokens.
  • Potential full control over MedEx services linked to the affected practice.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability leads to violations of HIPAA regulations due to unauthorized disclosure and exfiltration of Protected Health Information (PHI).

By exposing sensitive API tokens and enabling unauthorized access, it compromises the confidentiality and integrity of patient data, which is critical for compliance with healthcare data protection standards.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in OpenEMR version 8.0.0. Immediate mitigation involves upgrading OpenEMR to version 8.0.0 or later.

Since the vulnerability allows unauthenticated token disclosure via the MedEx callback endpoint, restricting access to this endpoint or disabling the MedEx integration until the upgrade can also help mitigate risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart