CVE-2026-25928
Path Traversal in OpenEMR DICOM Export Enables Remote Code Execution
Publication date: 2026-03-19
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25928 is a path traversal vulnerability in the OpenEMR application affecting versions prior to 8.0.0.2, specifically in the DICOM zip/export feature.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application uses a user-supplied destination path component when creating zip files of uploaded DICOM folders without properly sanitizing or removing path traversal sequences like "../".'}, {'type': 'paragraph', 'content': 'An attacker with DICOM upload/export permissions can exploit this by submitting a crafted destination parameter that causes the zip file to be created outside the intended temporary directory, potentially under the web root.'}, {'type': 'paragraph', 'content': 'This can lead to arbitrary file write and possibly remote code execution if executable files such as PHP scripts are written to a web-accessible location.'}, {'type': 'paragraph', 'content': 'The issue was fixed in OpenEMR version 8.0.0.2 by sanitizing paths and restricting them to a whitelisted base directory.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with DICOM upload/export permissions to write files outside the intended directory.
If the attacker writes executable files such as PHP scripts under the web root, it can lead to remote code execution, allowing them to run arbitrary code on the server.
This compromises the integrity of the system by enabling unauthorized file writes and potentially full control over the affected server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0.2 and if the DICOM zip/export feature is in use. Specifically, you can look for evidence of path traversal sequences (e.g., "../") in the destination parameter used during DICOM export operations.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious files, you can search your web root or temporary files directory for unexpected zip files or files created outside the intended directories, especially those containing path traversal patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious files or activity include:'}, {'type': 'list_item', 'content': 'Find zip files with path traversal patterns in their names or unexpected locations: `find /path/to/openemr/tmp -name "*..*"`'}, {'type': 'list_item', 'content': 'Search for recently created or modified files in the web root that should not be there: `find /path/to/openemr/public -type f -mtime -7`'}, {'type': 'list_item', 'content': 'Check web server logs for unusual POST requests to DICOM upload/export endpoints containing suspicious destination parameters with "../" sequences.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict DICOM upload/export permissions to trusted users only, as the vulnerability requires such privileges.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and sanitize any user-supplied input related to file paths or names in the DICOM export feature to prevent path traversal sequences.'}, {'type': 'paragraph', 'content': "Review and apply any available patches or code changes that sanitize filenames and destination paths, such as those applying PHP's basename() function to uploaded filenames and restricting output paths to canonical directories."}] [1, 2]