CVE-2026-40076
published 2026-05-06CVE-2026-40076: OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.85%
53.6th percentile
OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory.
An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmrs | openmrs | <= 2.7.8 | — |
| openmrs | openmrs | 2.8.0 – 2.8.5 | — |
| openmrs | openmrs-core | <= 2.7.8 | — |
| openmrs | openmrs-core | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OpenMRS up to 2.7.8/2.8.5 REST Endpoint module WebModuleUtil.startModule path traversal
vuldb·2026-05-06·CVSS 9.4
CVE-2026-40076 [CRITICAL] OpenMRS up to 2.7.8/2.8.5 REST Endpoint module WebModuleUtil.startModule path traversal
A vulnerability classified as critical was found in OpenMRS up to 2.7.8/2.8.5. Impacted is the function WebModuleUtil.startModule of the file /openmrs/ws/rest/v1/module of the component REST Endpoint. Such manipulation leads to path traversal.
This vulnerability is listed as CVE-2026-40076. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
GHSA
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)
ghsa·2026-05-04
CVE-2026-40076 [HIGH] CWE-22 OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)
## Affected Versions
version ≤ 2.7.8 (latest version at time of disclosure)
https://github.com/openmrs/openmrs-core
## Impact
The endpoint `POST /openmrs/ws/rest/v1/module` is vulnerable to a path traversal (Zip Slip) attack. An authenticated attacker can upload a crafted `.omod` archive containing ZIP entries with directory traversal sequences. Upon automatic extraction by the server, the incomplete path validation in `WebModuleUtil.startModule()` fails to prevent entries such as `web/module/../../../../malicious.jsp` from being written outside the intended module directory. If the traversal target falls within the web application root (e.g., `/usr/local/tomcat/webapps/openmrs/`), the attacker achieves arbitrary file write
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-06
Published