OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
The MedEx callback endpoint is configured with the parameter $ignoreAuth = true, which means complete bypass of the authentication mechanism. When an attacker sends a POST request containing the callback_key parameter, the application automatically performs login to MedEx and returns a complete JSON response containing sensitive API tokens. No authentication credentials or prior system access are required—the attack is possible for any anonymous user with network access to the OpenEMR instance.
An attacker obtains full MedEx API tokens of a medical practice, enabling MedEx service takeover, theft of protected patient health information (PHI), and execution of unauthorized actions on the MedEx platform, resulting in HIPAA compliance violations.
OpenEMR must be immediately updated to version 8.0.0, in which the vulnerability has been fixed. The patch is available in the project repository (commit 8e4de59ab58222f13abc4e4040128737d857db9c). Until the update is applied, consider restricting network access to the OpenEMR instance at the firewall level.
OpenEMR in all versions before 8.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HOpen Emr Openemr
APPOpen-Emr< 8.0.0
Related vulnerabilities
Command Injection w funkcji backup OpenEMR (wersje przed 8.0.0.2)
OpenEMR: Wyciek klucza API bramki płatności do klienta w plaintext
SQL Injection w OpenEMR — narażenie danych PHI przez parametr _sort
OpenEMR: path traversal umożliwia odczyt dowolnych plików przez uwierzytelnionego użytkownika
SQL Injection w OpenEMR 7.0.2 — krytyczna podatność w module aptecznym