Path traversal in OpenMRS - CVE-2026-40076
Published: May 4, 2026
Vulnerability identifier: #VU129556
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-40076
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenMRS
Affected software:
OpenMRS
OpenMRS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in WebModuleUtil.startModule() when processing a crafted .omod archive uploaded to POST /openmrs/ws/rest/v1/module. A remote privileged user can upload a crafted module archive containing ZIP entries with directory traversal sequences to execute arbitrary code.
The REST API endpoint does not enforce the module.allow_web_admin property, and exploitation requires the traversal target to be writable within the web application root so that a written JSP file can be executed.
How to mitigate CVE-2026-40076
Install security update from vendor's website.