Ddos 
OpenMRS, the world’s leading open-source electronic medical record (EMR) platform used extensively in resource-constrained environments, has issued urgent security updates to address three high-impact vulnerabilities. These flaws, which range from unauthenticated file access to critical remote code execution (RCE), threaten the confidentiality of protected health information (PHI) and the integrity of medical systems globally.
The most severe of these vulnerabilities allows non-administrative staff to escalate their privileges and execute arbitrary commands on the hospital’s server.
The most critical discovery is CVE-2026-41258, a Server-Side Template Injection (SSTI) flaw with a CVSS score of 9.1. The vulnerability resides in how OpenMRS evaluates clinical “reference ranges”βthe standard values used to validate medical observations.
Researchers found that the evaluateCriteria() method treats database-stored strings as Apache Velocity templates without any sandboxing. This allows a user with the “Manage Concepts” privilegeβa standard content-management role rather than a full adminβto store a malicious payload in a clinical concept.
The impact is uniquely insidious:
- Automatic Execution: The payload executes every time a staff member or API validates an observation against that concept.
- Deep Access: The exploit provides direct access to the full OpenMRS service layer and patient objects.
- PHI Exfiltration: Attackers can extract sensitive patient data directly through the template context without ever needing OS-level access.
Two additional vulnerabilities target the OpenMRS module system, potentially allowing attackers to overwrite system files or read sensitive configuration data:
- Zip Slip RCE (CVE-2026-40076): An authenticated attacker can upload a crafted .omod module archive containing directory traversal sequences. Because the platform fails to properly validate the extraction path, an attacker can write a malicious .jsp file directly into the web application root, achieving Remote Code Execution. This flaw also bypasses the module.allow_web_admin restriction via the REST API.
- Unauthenticated File Read (CVE-2026-40075): A path traversal vulnerability in the ModuleResourcesServlet allows an unauthenticated attacker to read arbitrary files from the server, such as /etc/passwd or database credentials. While newer versions of Apache Tomcat mitigate this at the container level, the underlying defect in the OpenMRS code remains a significant risk for older deployments.
The OpenMRS security team urges all medical facilities to upgrade to version 2.8.6 or 2.7.9 immediately.
If an immediate upgrade is not possible, administrators should:
- Audit Permissions: Restrict the “Manage Concepts” privilege to only a few highly trusted users.
- Database Inspection: Carefully audit the concept_reference_range table for any unauthorized or suspicious script-like entries.
- Update Tomcat: Ensure the application is running on Apache Tomcat 8.5.31/9.0.10 or higher to provide container-level protection against file-read exploits.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
