OpenMRS Core CVE-2026-40075
HIGH
GHSA-jjgj-cx3q-pw4w
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionNVD
Affected Versions
version ≤ 2.7.8 (latest version at time of disclosure)
https://github.com/openmrs/openmrs-core
Impact
The /openmrs/moduleResources/{moduleid} endpoint in OpenMRS Core is vulnerable to a path traversal attack. The ModuleResourcesServlet does not properly validate user-supplied path input, allowing an attacker to traverse directories and read arbitrary files from the server filesystem (e.g., /etc/passwd, application configuration files containing database credentials).
This endpoint serves static module resources (CSS, JS, images) and is not protected by authentication filters, as these resources are required for rendering the login page. Therefore, this vulnerability can be exploited by an unauthenticated attacker.
> Note: Successful exploitation requires the target deployment to run on Apache Tomcat < 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat ≥ 8.5.31 / ≥ 9.0.10 are protected at the container level, though the underlying code defect remains. >
Steps to Reproduce
- Identify a valid installed module ID on the target OpenMRS instance (e.g.,
legacyui). - Send the following HTTP request:
<img width="1038" height="798" alt="image" src="https://github.com/user-attachments/assets/7d10ee0e-4d81-4c01-bc84-a1bf5715f170" />
- The server responds with HTTP 200 and the contents of
/etc/passwd:
<img width="1028" height="843" alt="image" src="https://github.com/user-attachments/assets/b6806a7e-ff52-4f51-8f7f-7ea4e9754d10" />
Root Cause Analysis
The vulnerability exists in ModuleResourcesServlet.java (web/src/main/java/org/openmrs/module/web/ModuleResourcesServlet.java).
The getFile() method constructs a filesystem path from user-controlled input without performing path boundary validation:
protected File getFile(HttpServletRequest request) {
// Step 1: User-controlled path input
String path = request.getPathInfo();
// Step 2: Extract module from path prefix
Module module = ModuleUtil.getModuleForPath(path);
if (module == null) { return null; }
// Step 3: Strip module ID prefix - no traversal check
String relativePath = ModuleUtil.getPathForResource(module, path);
// Step 4: Concatenate into absolute path
String realPath = getServletContext().getRealPath("")
+ MODULE_PATH
+ module.getModuleIdAsPath()
+ "/resources"
+ relativePath; // contains "/../../../etc/passwd"
realPath = realPath.replace("/", File.separator);
// Step 5: No normalize().startsWith() boundary check
File f = new File(realPath);
if (!f.exists()) { return null; }
return f; // Arbitrary file returned to client
}The helper method ModuleUtil.getPathForResource() only strips the module ID prefix and performs no sanitization:
public static String getPathForResource(Module module, String path) {
if (path.startsWith("/")) {
path = path.substring(1);
}
return path.substring(module.getModuleIdAsPath().length());
// Returns unsanitized remainder, e.g., "/../../../../../../etc/passwd"
}The resulting path resolves as:
{webapp}/WEB-INF/view/module/legacyui/resources/../../../../../../etc/passwd
→ /etc/passwdNotably, the same codebase already implements correct path traversal protection in StartupFilter.java:
// StartupFilter.java - correct protection
fullFilePath = fullFilePath.resolve(httpRequest.getPathInfo());
if (!(fullFilePath.normalize().startsWith(filePath))) {
log.warn("Detected attempted directory traversal...");
return; // Request rejected
}This check is absent from ModuleResourcesServlet.
Remediation
Add a path boundary check after constructing realPath and before returning the File object. The fix should use normalize() + startsWith() to ensure the resolved path stays within the allowed module resources directory:
File f = new File(realPath);
Path allowedBase = Paths.get(getServletContext().getRealPath(""), "WEB-INF", "view", "module");
if (!f.toPath().normalize().startsWith(allowedBase.normalize())) {
log.warn("Blocked path traversal attempt: {}", request.getPathInfo());
return null;
}This is consistent with the existing pattern used in StartupFilter.java and TestInstallUtil.java within the same project.
AnalysisAI
Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: identify all OpenMRS Core deployments and determine version status; isolate any 2.7.x or 2.8.0-2.8.5 instances from external network access if possible. Within 7 days: upgrade all 2.8.x systems to version 2.8.6 or later; for 2.7.x instances, plan immediate migration to supported 2.8.6+ branch. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu
Share
External POC / Exploit Code
Leaving vuln.today