CVE-2026-24898
Received Received - Intake
Unauthenticated Token Disclosure in OpenEMR MedEx Callback Endpoint

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24898
EUVD
EUVD-2026-9328
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenEMR versions prior to 8.0.0 and involves an unauthenticated token disclosure in the MedEx callback endpoint.

Because the endpoint bypasses authentication and performs a MedEx login when a specific callback key is provided, any unauthenticated visitor can obtain the practice's MedEx API tokens.

These tokens are returned in the full JSON response, exposing sensitive credentials.

Impact Analysis

The vulnerability can lead to complete compromise of third-party services integrated via MedEx.

  • Exfiltration of Protected Health Information (PHI).
  • Unauthorized actions on the MedEx platform using stolen API tokens.
  • Potential full control over MedEx services linked to the affected practice.
Compliance Impact

This vulnerability leads to violations of HIPAA regulations due to unauthorized disclosure and exfiltration of Protected Health Information (PHI).

By exposing sensitive API tokens and enabling unauthorized access, it compromises the confidentiality and integrity of patient data, which is critical for compliance with healthcare data protection standards.

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in OpenEMR version 8.0.0. Immediate mitigation involves upgrading OpenEMR to version 8.0.0 or later.

Since the vulnerability allows unauthenticated token disclosure via the MedEx callback endpoint, restricting access to this endpoint or disabling the MedEx integration until the upgrade can also help mitigate risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart