CVE-2026-24849
Arbitrary File Read in OpenEMR EtherFaxActions.php Module
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 7.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24849 is a critical vulnerability in OpenEMR versions prior to 7.0.4 affecting the `disposeDocument()` method in the `EtherFaxActions.php` controller of the Fax SMS module.
This vulnerability allows any authenticated user, regardless of their privilege level, to read arbitrary files from the server filesystem. It occurs because the method does not properly check user permissions or validate the file path parameter supplied by the user.
An attacker can exploit this by authenticating with any valid OpenEMR account and sending a specially crafted request with a file path pointing to sensitive files on the server. The server then reads and returns the contents of those files, exposing sensitive data.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive system files, database credentials, application source code, user data, and patient records.
- Confidentiality: Critical breach allowing exposure of sensitive data.
- Integrity: Medium impact since the vulnerability allows read-only access without modification.
- Availability: Low impact as there is no disruption to service.
Overall, this vulnerability represents a critical security risk that can lead to exposure of confidential health information and system credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability poses a critical risk to compliance with regulations such as HIPAA and GDPR because it can lead to unauthorized exposure of sensitive health data.
The unauthorized disclosure of patient records and other confidential information can result in violations of data protection and privacy requirements mandated by these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests to the vulnerable endpoint that include suspicious parameters. Specifically, look for requests to the disposeDocument method with the action parameter set to "download" and a file_path parameter containing absolute paths, directory traversal sequences (e.g., ".."), or targeting sensitive files such as "/etc/passwd" or "sqlconf.php".'}, {'type': 'paragraph', 'content': 'A suggested detection approach is to create SIEM rules that match HTTP requests containing the strings "disposeDocument", "file_path=", and "action=download" with suspicious file paths.'}, {'type': 'paragraph', 'content': 'Example command using curl to test if the vulnerability exists (requires valid authentication credentials):'}, {'type': 'list_item', 'content': 'curl -u <username>:<password> "http://<openemr-server>/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EtherFaxActions.php?action=download&file_path=/etc/passwd"'}, {'type': 'paragraph', 'content': 'If the response contains the contents of the requested file (e.g., /etc/passwd), the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade OpenEMR to version 7.0.4 or later, which includes patches that add authentication checks, path validation, and file ownership verification in the disposeDocument() method.
- If upgrading is not immediately possible, disable the Fax SMS module (oe-module-faxsms) if it is not in use.
- Restrict access to the vulnerable module via web server configuration, such as using Apache access controls to limit which users or IP addresses can reach the disposeDocument endpoint.