Skip to main content

OpenMRS Core EUVDEUVD-2026-30558

| CVE-2026-41258 CRITICAL
Code Injection (CWE-94)
2026-05-04 https://github.com/openmrs/openmrs-core GHSA-xj4f-8jjg-vx4q
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 20:31 vuln.today
Analysis Generated
May 04, 2026 - 20:31 vuln.today

DescriptionGitHub Advisory

Impact

The ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default UberspectImpl in place, which allows unrestricted Java reflection through template expressions.

A user with the Manage Concepts privilege can store a malicious Velocity template expression in a concept's reference range criteria field. This payload is then executed automatically whenever a user or API call validates an observation against the affected concept. The Velocity context exposes $patient (the Person / Patient object), $obs (the Obs object), and $fn (the ConceptReferenceRangeUtility instance with access to the full OpenMRS service layer).

Persistent Remote Code Execution: The payload persists in the concept_reference_range database table (VARCHAR 65535). A single compromised concept for a common clinical measurement executes the payload on every subsequent observation validation across all users, API clients, and integrations in the facility.

Privilege Escalation: The Manage Concepts privilege is a content-management function, defined as "Able to add/edit/delete concept entries", not an administrative privilege. Multiple non-admin staff per facility typically hold this privilege. The attacker escalates from concept dictionary management to arbitrary code execution as the Tomcat application server process.

PHI Exfiltration: The Velocity context objects directly expose patient data without requiring OS-level RCE.

Patches

This is fixed in 2.8.6 and 2.7.9 as well as future versions.

Workarounds

Ensure the Manage Concepts privilege is restricted to only authorized users and carefully audit any ConceptReferenceRanges in the database.

Resources

https://github.com/openmrs/openmrs-core/commit/8d1c193 https://www.machinespirits.com/advisory/1e8430/

AnalysisAI

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Technical ContextAI

OpenMRS Core's ConceptReferenceRangeUtility.evaluateCriteria() method uses Apache Velocity template engine to evaluate database-stored criteria strings for clinical concept validation. The VelocityEngine was initialized with only logging configuration, using the default UberspectImpl introspector which permits unrestricted Java reflection through template expressions. The Velocity context exposes live OpenMRS objects including Patient/Person instances, Obs (observation) objects, and the ConceptReferenceRangeUtility service layer reference, providing direct access to the full application API and patient health information. CWE-94 (Improper Control of Generation of Code) applies as user-controlled data from the concept_reference_range VARCHAR(65535) database field is directly evaluated as executable template code. The patch replaces Velocity with Spring Expression Language (SpEL) using SimpleEvaluationContext with DataBindingPropertyAccessor (read-only), MapAccessor, and DataBindingMethodResolver, which restricts reflection capabilities and prevents arbitrary class instantiation. Expression parsing is cached via Caffeine cache with 20,000 entry maximum and 5-minute expiration to maintain performance.

RemediationAI

Upgrade immediately to OpenMRS Core version 2.7.9 (for 2.7.x branch) or 2.8.6 (for 2.8.x branch) which replace the vulnerable Apache Velocity template engine with sandboxed Spring Expression Language (SpEL) using SimpleEvaluationContext. Patch commit available at https://github.com/openmrs/openmrs-core/commit/8d1c193. If immediate upgrade is not feasible, restrict 'Manage Concepts' privilege to only essential trusted personnel and implement database-level audit logging on the concept_reference_range table to detect injection attempts. Audit existing ConceptReferenceRanges in the database for suspicious criteria strings containing Velocity template syntax such as dollar-sign variable references, method invocations, or Java class references (search for patterns like '$', '.class', '.getClass()', 'Runtime'). Note that restricting the privilege may disrupt normal clinical dictionary maintenance workflows, requiring operational coordination. Database auditing adds performance overhead proportional to concept modification frequency. No partial mitigation fully eliminates risk short of upgrading; workarounds only reduce attack surface.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Share

EUVD-2026-30558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy