Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
OpenEMR: Unauthenticated Access to Sensitive Medical Data
CVE-2026-24898
Summary
Prior to version 8.0.0, OpenEMR's MedEx callback endpoint allowed anyone to access sensitive medical data without needing a password. This made it possible for unauthorized people to steal the data and potentially face serious consequences, such as HIPAA fines. Update to version 8.0.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endp...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
nvd CVSS3.1
9.8
Vulnerability type
CWE-287
Improper Authentication
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026