Home / Vulnerability Intelligence / CVE-2026-24898

CVE-2026-24898 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 4, 2026

OpenEMR - Authentication Bypass

Published: March 3, 2026Updated: March 4, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0 contains an unauthenticated token disclosure caused by bypassing authentication in the MedEx callback endpoint, letting unauthenticated visitors obtain MedEx API tokens and perform unauthorized actions, exploit requires crafted POST request with callback_key.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 18.7%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can obtain API tokens, leading to third-party service compromise, PHI exfiltration, and HIPAA violations.

Mitigation

Upgrade to version 8.0.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 4, 2026

🔴 CVE-2026-24898 - Critical (10) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24898/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-24898
Severity: Critical
CVSS Score: 10.0
Type: broken_authentication
Status: confirmed
EPSS: 18.7%
Social Posts: 1

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

18.7%Probability of exploitation in the next 30 days