External risk intelligence

OpenMRS medical records system lets attackers take control or steal data

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-40076

An internal attacker with module management access can manipulate OpenMRS Core to gain full control over the system. This unauthorized access could lead to a compromise of sensitive data and critical business operations.

2Halo Surface Signal

Path Traversal

Openmrs

2.7.8 and earlier2.8.0 to 2.8.5

External exposure likelihood

Halo Surface Signal score for CVE-2026-40076

The vulnerability affects an administrative module management endpoint within an electronic medical record system. This functionality is intended for authorized internal users and is not designed as a public-facing service, meaning internet exposure is uncommon and typically restricted by internal network controls.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in OpenMRS Core allows an authenticated user to upload a specially crafted file, potentially overwriting critical system files and enabling remote code execution. This bypasses existing security measures, making it a significant risk for any organization using the affected versions of this electronic medical record system.

  • Allows arbitrary file writes.
  • Can lead to full system compromise.
  • Bypasses existing security controls.

Attack Path

How an attacker could exploit the issue

An authenticated attacker with module upload privileges can exploit this flaw to execute arbitrary code. They can craft a malicious ZIP archive containing a JSP file with a path traversal payload, uploading it via the module endpoint. This allows them to write the JSP file to the web application root, enabling remote code execution when accessed through a browser.

  • Requires authenticated access.
  • Targets module upload endpoint.
  • Uploads crafted ZIP archive.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated attacker with module upload privileges to achieve remote code execution by uploading a malicious JSP file. The exploit is particularly concerning because it bypasses a runtime property intended to restrict web-based module administration, making even secured deployments vulnerable through the REST API. The context of an electronic medical record system suggests sensitive data is at risk.

  • Exploitation requires authentication.
  • No known public exploit.
  • KEV unlikely due to required authentication.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or upgrading OpenMRS Core to versions 2.7.9+ or 2.8.6+ to address the critical Zip Slip vulnerability. If immediate patching is not feasible, restrict access to the module upload endpoint and monitor for suspicious file uploads or execution attempts.

  • Upgrade OpenMRS to patched versions.
  • Isolate or restrict module upload access.
  • Monitor for anomalous file activity.

Frequently asked questions

What is OpenMRS Core and its primary function in healthcare systems?

OpenMRS Core is an open-source platform designed for electronic medical records. It functions as a foundational system to assist healthcare providers in effectively managing patient data and maintaining comprehensive medical histories.

How does CVE-2026-40076 enable attackers to gain control of systems?

CVE-2026-40076 is a Zip Slip vulnerability. It permits an authenticated attacker to upload a malicious file that can be written to sensitive locations, such as the web application root, thereby enabling remote code execution.

What specific weakness allows for path traversal in OpenMRS Core?

The vulnerability stems from the module upload endpoint's handling of .omod archives. During automatic extraction, ZIP entries are not properly validated for path traversal, allowing crafted entries to write files outside the intended module directory.

What are the preconditions for an attacker to exploit this vulnerability?

An attacker must possess authentication credentials and have module upload privileges within the OpenMRS system. They need to upload a specially crafted ZIP archive containing a malicious file with a path traversal payload.

What is the recommended action to mitigate the risks associated with CVE-2026-40076?

The most effective mitigation is to upgrade OpenMRS Core to versions 2.7.9 or later, or versions 2.8.6 or later. If immediate patching is not possible, restrict access to the module upload endpoint and monitor for suspicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified