SB2026050484 - Multiple vulnerabilities in OpenMRS
Published: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Code Injection (CVE-ID: CVE-2026-41258)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of code generation in ConceptReferenceRangeUtility.evaluateCriteria() when evaluating database-stored criteria strings as Apache Velocity templates. A remote privileged user can store a malicious Velocity template expression in a concept's reference range criteria field to execute arbitrary code.
The payload is executed automatically whenever an observation is validated against the affected concept, and the template context exposes patient and observation objects as well as the utility instance with access to the service layer.
2) Path traversal (CVE-ID: CVE-2026-40075)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in ModuleResourcesServlet when handling requests to the /openmrs/moduleResources/{moduleid} endpoint. A remote attacker can send a specially crafted request to disclose sensitive information.
Successful exploitation requires the target deployment to run on Apache Tomcat versions earlier than 8.5.31.
3) Path traversal (CVE-ID: CVE-2026-40076)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in WebModuleUtil.startModule() when processing a crafted .omod archive uploaded to POST /openmrs/ws/rest/v1/module. A remote privileged user can upload a crafted module archive containing ZIP entries with directory traversal sequences to execute arbitrary code.
The REST API endpoint does not enforce the module.allow_web_admin property, and exploitation requires the traversal target to be writable within the web application root so that a written JSP file can be executed.
Remediation
Install update from vendor's website.
References
- https://github.com/openmrs/openmrs-core/security/advisories/GHSA-xj4f-8jjg-vx4q
- https://github.com/openmrs/openmrs-core/commit/8d1c193
- https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w
- https://github.com/openmrs/openmrs-core
- https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw