Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
The ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default UberspectImpl in place, which allows unrestricted Java reflection through template expressions.
A user with the Manage Concepts privilege can store a malicious Velocity template expression in a concept's reference range criteria field. This payload is then executed automatically whenever a user or API call validates an observation against the affected concept. The Velocity context exposes $patient (the Person / Patient object), $obs (the Obs object), and $fn (the ConceptReferenceRangeUtility instance with access to the full OpenMRS service layer).
Persistent Remote Code Execution: The payload persists in the concept_reference_range database table (VARCHAR 65535). A single compromised concept for a common clinical measurement executes the payload on every subsequent observation validation across all users, API clients, and integrations in the facility.
Privilege Escalation: The Manage Concepts privilege is a content-management function, defined as "Able to add/edit/delete concept entries", not an administrative privilege. Multiple non-admin staff per facility typically hold this privilege. The attacker escalates from concept dictionary management to arbitrary code execution as the Tomcat application server process.
PHI Exfiltration: The Velocity context objects directly expose patient data without requiring OS-level RCE.
Patches
This is fixed in 2.8.6 and 2.7.9 as well as future versions.
Workarounds
Ensure the Manage Concepts privilege is restricted to only authorized users and carefully audit any ConceptReferenceRanges in the database.
Resources
https://github.com/openmrs/openmrs-core/commit/8d1c193 https://www.machinespirits.com/advisory/1e8430/
AnalysisAI
Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.
Technical ContextAI
OpenMRS Core's ConceptReferenceRangeUtility.evaluateCriteria() method uses Apache Velocity template engine to evaluate database-stored criteria strings for clinical concept validation. The VelocityEngine was initialized with only logging configuration, using the default UberspectImpl introspector which permits unrestricted Java reflection through template expressions. The Velocity context exposes live OpenMRS objects including Patient/Person instances, Obs (observation) objects, and the ConceptReferenceRangeUtility service layer reference, providing direct access to the full application API and patient health information. CWE-94 (Improper Control of Generation of Code) applies as user-controlled data from the concept_reference_range VARCHAR(65535) database field is directly evaluated as executable template code. The patch replaces Velocity with Spring Expression Language (SpEL) using SimpleEvaluationContext with DataBindingPropertyAccessor (read-only), MapAccessor, and DataBindingMethodResolver, which restricts reflection capabilities and prevents arbitrary class instantiation. Expression parsing is cached via Caffeine cache with 20,000 entry maximum and 5-minute expiration to maintain performance.
RemediationAI
Upgrade immediately to OpenMRS Core version 2.7.9 (for 2.7.x branch) or 2.8.6 (for 2.8.x branch) which replace the vulnerable Apache Velocity template engine with sandboxed Spring Expression Language (SpEL) using SimpleEvaluationContext. Patch commit available at https://github.com/openmrs/openmrs-core/commit/8d1c193. If immediate upgrade is not feasible, restrict 'Manage Concepts' privilege to only essential trusted personnel and implement database-level audit logging on the concept_reference_range table to detect injection attempts. Audit existing ConceptReferenceRanges in the database for suspicious criteria strings containing Velocity template syntax such as dollar-sign variable references, method invocations, or Java class references (search for patterns like '$', '.class', '.getClass()', 'Runtime'). Note that restricting the privilege may disrupt normal clinical dictionary maintenance workflows, requiring operational coordination. Database auditing adds performance overhead proportional to concept modification frequency. No partial mitigation fully eliminates risk short of upgrading; workarounds only reduce attack surface.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and
Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30558
GHSA-xj4f-8jjg-vx4q