CVE-2026-24898
Published: 03 March 2026
Summary
CVE-2026-24898 is a critical-severity Improper Authentication (CWE-287) vulnerability in Open-Emr Openemr. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly limits sensitive actions like MedEx API token disclosure that are permitted without identification or authentication on the callback endpoint.
Enforces approved authorizations to prevent unauthenticated access and token disclosure via the $ignoreAuth bypass in the MedEx callback endpoint.
Requires identification and authentication for non-organizational users, mitigating exploitation by any unauthenticated visitor to the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190: Unauthenticated exploitation of public-facing OpenEMR web application endpoint. T1528: Direct disclosure of sensitive MedEx API tokens (application access tokens).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading…
more
to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
Deeper analysisAI
CVE-2026-24898 is an unauthenticated token disclosure vulnerability affecting OpenEMR, a free and open source electronic health records and medical practice management application, in versions prior to 8.0.0. The issue resides in the MedEx callback endpoint, which bypasses authentication by setting $ignoreAuth = true and performs a MedEx login whenever $_POST['callback_key'] is provided, returning a full JSON response that includes sensitive MedEx API tokens. This flaw, classified under CWE-287 (Improper Authentication), carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Any unauthenticated visitor can exploit this vulnerability remotely by sending a POST request to the MedEx callback endpoint with a 'callback_key' parameter, triggering the disclosure of the practice's MedEx API tokens. Successful exploitation enables complete compromise of the third-party MedEx service, exfiltration of protected health information (PHI), unauthorized actions on the MedEx platform, and potential HIPAA violations, granting attackers high confidentiality, integrity, and availability impacts across the scoped network.
The vulnerability is fixed in OpenEMR version 8.0.0, as detailed in the project's security advisory (GHSA-qwff-3mw7-7rc7) and the corresponding commit (8e4de59ab58222f13abc4e4040128737d857db9c) on GitHub, which presumably addresses the authentication bypass and token exposure in the endpoint. Security practitioners should prioritize upgrading to 8.0.0 or later and review exposed instances for token leakage.
Details
- CWE(s)