External risk intelligence

OpenMed PII Privacy Filter Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-47117

OpenMed acts as a service for processing data, often deployed as a web application or API endpoint to handle privacy filtering. As the vulnerability is reachable through unauthenticated input parameters in the model loading path, it is likely to be exposed if the service is deployed to process external user requests or provide a public-facing interface.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A remote code execution vulnerability has been identified in OpenMed related to how it loads privacy-filter models. This flaw could allow an unauthenticated attacker to execute arbitrary code with the privileges of the OpenMed service by supplying a malicious model. The main concern is confirming relevance and exposure.

  • Issue: Malicious code execution via model loading.
  • Why remember: Affects data privacy and service integrity.
  • Takeaway: Confirm if our systems use this technology.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to the OpenMed service. The service's privacy filter incorrectly processes a user-supplied name for a privacy model, allowing the attacker to trick it into loading a malicious model from a remote source. This remote model can contain custom code that executes with the same permissions as the OpenMed service, potentially leading to full system compromise.

  • No authentication needed.
  • Malicious model loading.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect the OpenMed service by allowing an unauthenticated attacker to execute arbitrary code. This is possible when a malicious model repository is supplied through the `model_name` parameter, which the service then loads with elevated privileges.

  • Service process could be compromised.
  • Malicious code executes through model loading.
  • Attacker gains service privileges.

Operational Fix

Recommended remediation, mitigation, and detection steps

The OpenMed service owner or platform team is likely responsible for addressing this vulnerability, as it impacts a specific application component. The first practical step is to identify all OpenMed deployments, confirm their network exposure and criticality, and then engage the accountable owner to plan remediation.

  • Identify OpenMed deployments and exposure.
  • Confirm asset criticality and ownership.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenMed and how is it used?

OpenMed is a software service designed to process and filter sensitive data, such as Personally Identifiable Information (PII). Organizations deploy it as an API or web application to sanitize data streams automatically. The core functionality relies on privacy-filter models to recognize and redact information, which is where the software interacts with external model repositories.

How does CVE-2026-47117 allow remote code execution?

This vulnerability, classified as CWE-94 (Code Injection), occurs because the software's privacy-filter dispatcher uses overly broad matching on model names. An attacker can supply a crafted input that forces the system to load a malicious model from an external source. Because the application enables features that automatically run remote code during the loading process, the attacker's custom instructions execute directly on the server hosting the OpenMed service.

What triggers this vulnerability in OpenMed?

The flaw is triggered when the application receives a specially crafted 'model_name' parameter. This input tricks the system into treating an untrusted repository as a legitimate privacy model. Crucially, the vulnerability does not trigger if the software is configured to only load pre-approved, local models from a secure, read-only path that prohibits remote execution or external dynamic imports.

Is my instance of OpenMed at risk?

According to Halo Surface Signal, this vulnerability is likely to be exposed if your OpenMed instance processes external user requests or provides a public-facing API interface. If your deployment handles direct inputs from the internet or untrusted network segments to configure privacy filters, it is reachable by unauthenticated attackers. Internal-only deployments with restricted access to model-loading parameters face a lower, though still present, risk.

What are the first steps to address this issue?

Begin by creating a comprehensive inventory of all OpenMed deployments within your environment. Once identified, evaluate whether each instance is accessible from the network and verify which version is running. If you are using a version earlier than 1.5.2, coordinate with your engineering or platform team to plan an update or restrict the model-loading path to prevent the execution of untrusted external code.

References