CVE-2026-24898
📋 TL;DR
OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx callback endpoint. Any unauthenticated visitor can obtain the practice's MedEx API tokens, leading to third-party service compromise and potential PHI exfiltration. Healthcare organizations using vulnerable OpenEMR instances are affected.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of MedEx third-party services, unauthorized access to protected health information (PHI), HIPAA violations, and potential ransomware deployment through the compromised MedEx platform.
Likely Case
Unauthorized actors obtain MedEx API tokens and use them to access patient data, send unauthorized communications, or disrupt medical communication services.
If Mitigated
If properly segmented and monitored, impact limited to MedEx service disruption and potential data exposure through that specific third-party platform.
🎯 Exploit Status
Exploitation requires only HTTP POST requests to the vulnerable endpoint with a callback_key parameter. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-qwff-3mw7-7rc7
Restart Required: Yes
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR 8.0.0 or later from the official repository. 3. Follow the OpenEMR upgrade documentation for your specific version path. 4. Verify the patch by checking that the MedEx callback endpoint now requires proper authentication.
🔧 Temporary Workarounds
Block MedEx Callback Endpoint
allTemporarily block access to the vulnerable endpoint using web server configuration or firewall rules.
# Apache: RewriteRule ^/interface/modules/zend_modules/public/MedEx/medexcallback.php - [F]
# Nginx: location ~ /interface/modules/zend_modules/public/MedEx/medexcallback.php { deny all; }
Disable MedEx Integration
allTemporarily disable MedEx integration in OpenEMR configuration.
# Edit OpenEMR configuration to disable MedEx modules
🧯 If You Can't Patch
- Immediately block external access to the MedEx callback endpoint at the network perimeter or web application firewall.
- Monitor for unauthorized access attempts to the MedEx callback endpoint and review MedEx API token usage logs.
🔍 How to Verify
Check if Vulnerable:
Send a POST request to /interface/modules/zend_modules/public/MedEx/medexcallback.php with a callback_key parameter. If it returns JSON containing API tokens without authentication, the system is vulnerable.Check Version:
Check the OpenEMR version in the interface footer or via the database: SELECT * FROM versionVerify Fix Applied:
Attempt the same POST request after patching. It should return an authentication error or no sensitive data.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to MedEx callback endpoint from external IPs
- Multiple failed authentication attempts followed by successful MedEx token retrieval
Network Indicators:
- HTTP POST requests to /interface/modules/zend_modules/public/MedEx/medexcallback.php from unauthorized sources
SIEM Query:
source="web_server_logs" AND uri="/interface/modules/zend_modules/public/MedEx/medexcallback.php" AND method="POST" AND response_code=200