Dear OpenMRS Community,
Over the past couple of weeks, we have received a number of major security reports relating to OpenMRS Core and the REST API. We believe these are critical vulnerabilities that if left unaddressed could enable an attacker to steal data or gain remote control over systems running OpenMRS.
Recommendations
We strongly recommend upgrading your version of core and modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:
- Platform 2.5.15+, 2.6.16+, 2.7.9+, 2.8.6+ (We are happy to work with implementations that may need things ported to earlier versions)
- WebServices.REST 3.3.0+
Vulnerability Details
Here are the details of the vulnerabilities that have been reported and patched:
- CVE-2026-40075: A Path Traversal issue in the ModuleResourcesServlet which allowed loading arbitrary files readable by OpenMRS from the file system
- CVE-2026-40076: A Zip-slip issue in the module upload functionality, allowing an attacker to overwrite arbitrary files writable by OpenMRS on the file system
- CVE-2026-40076: The module.allow_web_admin runtime property was only honored by the legacy UI and not enforced in core
- CVE-2026-41258: An issue with the Velocity templating engine used in the concept reference ranges implementation would allow a user with the ability to manage concepts to execute arbitrary code, including exfiltrating PIH they may not otherwise be authorized to access.
- No Current CVE: An issue where a user with limited permissions could leverage the REST API to access information they are not otherwise permitted (including PHI) from information they were permitted.
Thank you to the security researchers who reported these issues, Arron-bit, Jeff Ponte, and Dr. Simon Weber, Volker Schönefeld, Chiara Fliegner from Machine Spirits UG.
for the hard work identifying the vulnerabilities & creating these patches.