Executive Summary

CVE-2026-24849 is a critical vulnerability in OpenEMR versions prior to 7.0.4 affecting the `disposeDocument()` method in the `EtherFaxActions.php` controller of the Fax SMS module.

This vulnerability allows any authenticated user, regardless of their privilege level, to read arbitrary files from the server filesystem. It occurs because the method does not properly check user permissions or validate the file path parameter supplied by the user.

An attacker can exploit this by authenticating with any valid OpenEMR account and sending a specially crafted request with a file path pointing to sensitive files on the server. The server then reads and returns the contents of those files, exposing sensitive data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive system files, database credentials, application source code, user data, and patient records.

• Confidentiality: Critical breach allowing exposure of sensitive data.
• Integrity: Medium impact since the vulnerability allows read-only access without modification.
• Availability: Low impact as there is no disruption to service.

Overall, this vulnerability represents a critical security risk that can lead to exposure of confidential health information and system credentials.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability poses a critical risk to compliance with regulations such as HIPAA and GDPR because it can lead to unauthorized exposure of sensitive health data.

The unauthorized disclosure of patient records and other confidential information can result in violations of data protection and privacy requirements mandated by these standards.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests to the vulnerable endpoint that include suspicious parameters. Specifically, look for requests to the disposeDocument method with the action parameter set to "download" and a file_path parameter containing absolute paths, directory traversal sequences (e.g., ".."), or targeting sensitive files such as "/etc/passwd" or "sqlconf.php".'}, {'type': 'paragraph', 'content': 'A suggested detection approach is to create SIEM rules that match HTTP requests containing the strings "disposeDocument", "file_path=", and "action=download" with suspicious file paths.'}, {'type': 'paragraph', 'content': 'Example command using curl to test if the vulnerability exists (requires valid authentication credentials):'}, {'type': 'list_item', 'content': 'curl -u <username>:<password> "http://<openemr-server>/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EtherFaxActions.php?action=download&file_path=/etc/passwd"'}, {'type': 'paragraph', 'content': 'If the response contains the contents of the requested file (e.g., /etc/passwd), the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade OpenEMR to version 7.0.4 or later, which includes patches that add authentication checks, path validation, and file ownership verification in the disposeDocument() method.
• If upgrading is not immediately possible, disable the Fax SMS module (oe-module-faxsms) if it is not in use.
• Restrict access to the vulnerable module via web server configuration, such as using Apache access controls to limit which users or IP addresses can reach the disposeDocument endpoint.

Useful 0 Not Useful 0