What is the CVSS score of CVE-2026-24898?

CVE-2026-24898 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of PHP are affected by CVE-2026-24898?

CVE-2026-24898 is a critical vulnerability affecting OpenEMR systems with a perfect CVSS score of 10.0, indicating complete system compromise is possible.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24898?

Yes, a public proof-of-concept exploit is available for CVE-2026-24898. Prioritise patching immediately. EPSS: 0.2%.

PHP CVE-2026-24898

CRITICAL

Improper Authentication (CWE-287)

2026-03-03 security-advisories@github.com

PHP Authentication Bypass Information Disclosure Openemr

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

PoC Detected

Mar 04, 2026 - 21:57 vuln.today

Public exploit code

Patch released

Mar 04, 2026 - 21:57 nvd

Patch available

CVE Published

Mar 03, 2026 - 22:16 nvd

CRITICAL 10.0

DescriptionNVD

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.

AnalysisAI

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. …

RemediationAI

Within 24 hours: Identify all OpenEMR instances in your environment and assess network exposure; isolate affected systems if patching cannot be completed immediately. Within 7 days: Apply the available vendor patch to all OpenEMR deployments and verify successful remediation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-24898 vulnerability details – vuln.today

Back

PHP CVE-2026-24898

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code