CVE-2026-24898

CVE-2026-24898 is an unauthenticated token disclosure vulnerability affecting OpenEMR, a free and open source electronic health records and medical practice management application, in versions prior to 8.0.0. The issue resides in the MedEx callback endpoint, which bypasses authentication by setting $ignoreAuth = true and performs a MedEx login whenever $_POST['callback_key'] is provided, returning a full JSON response that includes sensitive MedEx API tokens. This flaw, classified under CWE-287 (Improper Authentication), carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Any unauthenticated visitor can exploit this vulnerability remotely by sending a POST request to the MedEx callback endpoint with a 'callback_key' parameter, triggering the disclosure of the practice's MedEx API tokens. Successful exploitation enables complete compromise of the third-party MedEx service, exfiltration of protected health information (PHI), unauthorized actions on the MedEx platform, and potential HIPAA violations, granting attackers high confidentiality, integrity, and availability impacts across the scoped network.

The vulnerability is fixed in OpenEMR version 8.0.0, as detailed in the project's security advisory (GHSA-qwff-3mw7-7rc7) and the corresponding commit (8e4de59ab58222f13abc4e4040128737d857db9c) on GitHub, which presumably addresses the authentication bypass and token exposure in the endpoint. Security practitioners should prioritize upgrading to 8.0.0 or later and review exposed instances for token leakage.