CVE-2026-40075
Path Traversal in OpenMRS Core
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openmrs | core | to 2.8.6 (exc) |
| openmrs | core | From 2.8.0 (inc) to 2.8.6 (exc) |
| openmrs | core | to 2.8.5 (inc) |
| apache | tomcat | to 8.5.31 (exc) |
| apache | tomcat | From 8.5.31 (inc) |
| apache | tomcat | From 9.0.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in OpenMRS Core versions 2.7.8 and earlier and 2.8.0 through 2.8.5, specifically in the /openmrs/moduleResources/{moduleid} endpoint.
This endpoint is vulnerable to a path traversal attack because it constructs a filesystem path from user input without validating that the path stays within the allowed directory.
The getFile() method concatenates the user-supplied path into an absolute filesystem path without normalization or boundary checks.
Since this endpoint serves static resources needed for the login page, it is not protected by authentication filters, allowing unauthenticated attackers to exploit it.
An attacker can traverse directories and read arbitrary files on the server, such as /etc/passwd or configuration files containing database credentials.
Successful exploitation requires the server to run Apache Tomcat versions prior to 8.5.31, as later versions mitigate the path traversal at the container level.
The issue has been fixed in OpenMRS versions after 2.7.8 and in 2.8.6 and later.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to read arbitrary files on the server filesystem.
Such access can expose sensitive information like system files (/etc/passwd) and application configuration files that may contain database credentials.
Exposure of these files can lead to further compromise of the system, including unauthorized access to the database and potentially the entire server.
The vulnerability can be exploited without any authentication, increasing the risk and ease of attack.
However, deployments running Apache Tomcat 8.5.31 or later are protected at the container level from this attack.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenMRS Core to a version after 2.7.8 in the 2.7.x branch or to version 2.8.6 or later.
Additionally, ensure that your Apache Tomcat server is updated to version 8.5.31 or later, or 9.0.10 or later, as these versions include container-level protections against the path traversal bypass.
Avoid running vulnerable versions of OpenMRS Core and Apache Tomcat to prevent unauthenticated exploitation of the path traversal vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to perform path traversal attacks and read arbitrary files on the server, including sensitive files such as application configuration files containing database credentials.
Such unauthorized access to sensitive data can lead to data breaches, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.
Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing protected health information or personally identifiable information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal flaw on the vulnerable endpoint `/openmrs/moduleResources/{moduleid}` to see if arbitrary files can be accessed without authentication.
A common detection method is to send HTTP requests that include directory traversal sequences in the path parameter to check if files like `/etc/passwd` or sensitive configuration files can be retrieved.
- Use curl to test for path traversal by requesting a sensitive file, for example: curl -v "http://<target-host>/openmrs/moduleResources/someModule/../../../../../../etc/passwd"
- Check the HTTP response for contents of the targeted file (e.g., presence of typical `/etc/passwd` entries).
- Verify the Apache Tomcat version; if it is prior to 8.5.31, the system is more likely vulnerable to the `..;` path parameter bypass.
- Review server logs for unusual requests to `/openmrs/moduleResources/` containing directory traversal patterns like `../` or `..;`.