CVE-2026-24898

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. A flaw in the MedEx callback endpoint allows unauthenticated access to the practice's MedEx API tokens. This can lead to compromise of third-party services, unauthorized access to Protected Health Information (PHI), and potential HIPAA violations. The issue occurs because the endpoint bypasses authentication and performs a MedEx login when $ POST['callback key'] is provided, returning a JSON response that includes sensitive API tokens. The vulnerable endpoint is '/MedEx/callback'. The vulnerable parameter is callback key.

Recommendations Update to version 8.0.0 or later.