Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
Published: 2026-03-03
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of MedEx API tokens, enabling PHI exfiltration and unauthorized MedEx actions
Action: Immediate Patch
AI Analysis

Impact

The flaw allows any unauthenticated user to trigger a MedEx login via the callback endpoint by supplying a callback_key parameter, and because authentication is intentionally bypassed the resulting JSON response contains the full MedEx API token set. With these tokens an attacker can compromise the MedEx service, extract protected health information, and perform unauthorized actions, constituting a severe breach of HIPAA.

Affected Systems

Any installation of OpenEMR older than version 8.0.0 that exposes the MedEx callback endpoint is affected, including all OpenEMR instances listed under the openemr vendor in the CNA and CPE entries.

Risk and Exploitability

The vulnerability carries a CVSS base score of 10, the maximum severity, but its EPSS score of less than 1% indicates that exploitation is not currently widespread and the vulnerability is not listed in the CISA KEV catalog. The attack vector is unauthenticated and remote, requiring only a simple HTTP POST to the endpoint, making exploitation trivial if the application is reachable.

Generated by OpenCVE AI on April 16, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEMR version 8.0.0 or later to eliminate the authentication bypass.
  • If an upgrade cannot be performed immediately, limit network access to the MedEx callback endpoint using firewall rules or IP whitelisting so that only authorized internal systems can reach it.
  • After remediation, rotate all MedEx API tokens and revoke any that may have been exposed to ensure that compromised credentials cannot be reused.

Generated by OpenCVE AI on April 16, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Tue, 03 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
Title OpenEMR has an Unauthenticated MedEx Token Disclosure
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:52:59.930Z

Reserved: 2026-01-27T19:35:20.529Z

Link: CVE-2026-24898

cve-icon Vulnrichment

Updated: 2026-03-04T16:52:49.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T22:16:28.443

Modified: 2026-03-04T21:57:13.603

Link: CVE-2026-24898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses