Vulnerabilities ›

CVE-2026-40076

High ⚡ Exploit Available

CWE-22 — Weakness Type

                    Published: May 6, 2026                      ·  Modified: May 13, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory.

An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later.

🤖 AI Executive Summary

OpenMRS Core versions 2.7.8 and earlier, and 2.8.0-2.8.5 contain a critical Zip Slip path traversal vulnerability in the module upload REST endpoint that allows authenticated attackers to write arbitrary files outside the intended directory and achieve remote code execution. The vulnerability bypasses the module.allow_web_admin security property in the REST API, creating a significant risk for healthcare organizations using affected versions. Exploitation requires module upload access but can lead to complete system compromise through JSP file injection.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 11, 2026 18:33

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses a critical risk to Saudi healthcare organizations, particularly those using OpenMRS for electronic medical records management. The Ministry of Health (MOH), private hospitals, and healthcare facilities relying on OpenMRS are at severe risk of data breach, patient record manipulation, and system compromise. The vulnerability affects the healthcare sector most directly, with potential secondary impacts on government health information systems and ARAMCO healthcare operations. The ability to achieve RCE through authenticated module upload could lead to unauthorized access to sensitive patient data (PHI), system downtime, and regulatory violations under GDPR and Saudi healthcare data protection requirements.

🏢 Affected Saudi Sectors

Healthcare Government Health Services Private Hospitals and Clinics Medical Research Institutions Pharmaceutical Companies Health Insurance Providers ARAMCO Healthcare Operations

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1434 - Exploit Software Supply Chain T1567 - Exfiltration Over Web Service T1070 - Indicator Removal T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter T1543 - Create or Modify System Process T1547 - Boot or Logon Autostart Execution

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all OpenMRS deployments running versions 2.7.8 or earlier, and 2.8.0-2.8.5

2. Restrict access to the POST /openmrs/ws/rest/v1/module endpoint to trusted administrators only

3. Implement network-level access controls to limit module upload API access

4. Review audit logs for unauthorized module upload attempts

5. Verify module.allow_web_admin property is enforced (note: REST API bypasses this)



PATCHING GUIDANCE:

1. Upgrade to OpenMRS 2.7.9 or later (2.7.x line) or 2.8.6 or later (2.8.x line)

2. Test patches in non-production environment before deployment

3. Backup all data and configurations before upgrading



COMPENSATING CONTROLS (if immediate patching not possible):

1. Disable the REST module upload endpoint at the reverse proxy/WAF level

2. Implement strict input validation on uploaded .omod files

3. Use Web Application Firewall (WAF) rules to block path traversal patterns (../, ..\ sequences)

4. Implement file integrity monitoring on web application root directory

5. Restrict file write permissions on the application server



DETECTION RULES:

1. Monitor POST requests to /openmrs/ws/rest/v1/module for suspicious patterns

2. Alert on any .omod uploads containing path traversal sequences (../, ..\)

3. Monitor for JSP file creation in unexpected directories

4. Track failed and successful module uploads with source IP and user

5. Monitor web application root directory for unauthorized file modifications

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نشرات OpenMRS التي تعمل بالإصدارات 2.7.8 أو الإصدارات السابقة، و 2.8.0-2.8.5

2. تقييد الوصول إلى نقطة نهاية POST /openmrs/ws/rest/v1/module للمسؤولين الموثوقين فقط

3. تنفيذ عناصر تحكم الوصول على مستوى الشبكة لتحديد وصول واجهة برمجة التطبيقات لتحميل الوحدات

4. مراجعة سجلات التدقيق لمحاولات تحميل الوحدات غير المصرح بها

5. التحقق من فرض خاصية module.allow_web_admin (ملاحظة: واجهة برمجة التطبيقات REST تتجاوز هذا)

إرشادات التصحيح:

1. الترقية إلى OpenMRS 2.7.9 أو إصدار أحدث (سطر 2.7.x) أو 2.8.6 أو إصدار أحدث (سطر 2.8.x)

2. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر

3. النسخ الاحتياطي لجميع البيانات والتكوينات قبل الترقية

عناصر التحكم التعويضية (إذا لم يكن الترقية الفورية ممكنة):

1. تعطيل نقطة نهاية تحميل وحدة REST على مستوى الوكيل العكسي/WAF

2. تنفيذ التحقق من صحة الإدخال الصارم على ملفات .omod المرفوعة

3. استخدام قواعد جدار حماية تطبيقات الويب (WAF) لحظر أنماط اجتياز المسار (../, ..\)

4. تنفيذ مراقبة سلامة الملفات في دليل جذر تطبيق الويب

5. تقييد أذونات كتابة الملفات على خادم التطبيق

قواعد الكشف:

1. مراقبة طلبات POST إلى /openmrs/ws/rest/v1/module للأنماط المريبة

2. التنبيه على أي تحميلات .omod تحتوي على أنماط اجتياز المسار (../, ..\)

3. مراقبة إنشاء ملفات JSP في الدلائل غير المتوقعة

4. تتبع عمليات تحميل الوحدات الفاشلة والناجحة مع عنوان IP والمستخدم

5. مراقبة دليل جذر تطبيق الويب للتعديلات غير المصرح بها على الملفات

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.1 - Access Control Policy A.6.2.1 - User Registration and De-registration A.8.2.1 - Classification of Information A.8.2.3 - Handling of Assets A.12.2.1 - Controls Against Malware A.12.4.1 - Event Logging A.12.4.3 - Administrator and Operator Logs A.13.1.1 - Network Security Perimeter A.14.2.1 - Secure Development Policy

🔵 SAMA CSF

Governance - Policy and Risk Management Governance - Compliance and Audit Protection - Access Control and Authentication Protection - Data Protection and Privacy Protection - System and Communications Protection Detection - Security Monitoring and Logging Response - Incident Response and Management

🟡 ISO 27001:2022

5.1 - Policies for Information Security 6.1 - Information Security Roles and Responsibilities 6.2 - Information Security Competencies 8.1 - Operational Planning and Control 8.2 - Supply Chain 8.3 - Information and Communication Technology 8.4 - Removal of Assets 8.5 - Access Control 8.6 - Cryptography 8.7 - Physical and Environmental Security 8.32 - Change Management 8.33 - Test Information and Communication Technology Changes 8.34 - Protection of Information Systems from Malware 8.35 - Logging 8.36 - Monitoring Activities

🟣 PCI DSS v4.0.1

Requirement 1 - Install and Maintain Network Security Configuration Requirement 2 - Apply Secure Configurations Requirement 6 - Develop and Maintain Secure Systems and Applications Requirement 7 - Restrict Access to Cardholder Data Requirement 8 - Identify and Authenticate Access Requirement 10 - Log and Monitor All Access to Network Resources

🔗 References & Sources 2

🔗

https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw

security-advisories@github.com

Vendor Advisory Exploit Mitigation

🔗

https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw

134c704f-9b21-4f2e-91b3-4a467353bcc0

Vendor Advisory Exploit Mitigation

📦 Affected Products / CPE 2 entries

openmrs:openmrs

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-22

EPSS0.37%

Exploit ✓ Yes

Patch ✗ No

Published 2026-05-06

Source Feed nvd

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-22

🏢 Vendor Advisories

🔗 https://github.com/openmrs/openmrs-core/security/adv... 🔗 https://github.com/openmrs/openmrs-core/security/adv...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-40076

Introduce Yourself

Sign In Required