Home / Vulnerability Intelligence / CVE-2026-24898

CVE-2026-24898 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 3, 2026

OpenEMR - Authentication Bypass

Published: March 3, 2026Updated: March 3, 2026Remote Exploitable

Overview

OpenEMR < 8.0.0 contains an unauthenticated token disclosure caused by bypassing authentication in the MedEx callback endpoint, letting unauthenticated visitors obtain MedEx API tokens and perform unauthorized actions, exploit requires crafted POST request with callback_key.

Severity & Score

Severity: Critical

CVSS Score: 10.0

Impact

Unauthenticated attackers can obtain API tokens, leading to third-party service compromise, PHI exfiltration, and HIPAA violations.

Mitigation

Upgrade to version 8.0.0 or later.

References

https://github.com/openemr/openemr/commit/8e4de59ab58222f13abc4e4040128737d857db9c
https://github.com/openemr/openemr/security/advisories/GHSA-qwff-3mw7-7rc7

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-24898
Severity: Critical
CVSS Score: 10.0
Type: broken_authentication
Status: new

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H