CVE-2026-15477
Received Received - Intake

SQL Injection in Bahmni bahmnicore

Vulnerability report for CVE-2026-15477, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A vulnerability was detected in Bahmni bahmnicore up to 0.93. This affects the function additionalParams of the file /openmrs/ws/rest/v1/bahmnicore/sql of the component Search Endpoint. Performing a manipulation of the argument test results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 0.93.1, 1.0.1, 1.1.1, 1.2.1, 1.3.1 and 2.0.1 mitigates this issue. Upgrading the affected component is recommended.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
bahmni bahmnicore to 0.93 (exc)
bahmni bahmnicore 0.93.1
bahmni bahmnicore 1.0.1
bahmni bahmnicore 1.1.1
bahmni bahmnicore 1.2.1
bahmni bahmnicore 1.3.1
bahmni bahmnicore 2.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15477 is a vulnerability in the Bahmni bahmnicore package, specifically affecting the Search Endpoint function additionalParams in the file /openmrs/ws/rest/v1/bahmnicore/sql. An authenticated attacker can manipulate the argument 'test' to perform SQL injection attacks remotely.

This SQL injection can be exploited using techniques like boolean blind and error-based exfiltration to infer and extract sensitive patient data from the database, even though the attack does not directly return data.

The vulnerability affects versions up to 0.93, and patches are available in versions 0.93.1 and later. Mitigation includes upgrading to these fixed versions, restricting access to trusted IPs, auditing SQL search access, and monitoring logs for unusual activity.

Compliance Impact

The vulnerability in Bahmni bahmnicore allows an authenticated attacker to perform SQL injection attacks that can extract sensitive patient data through inference techniques. This exposure of sensitive health information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of personal and health-related data against unauthorized access and breaches.

Mitigation measures such as upgrading to patched versions, restricting access to trusted IPs, auditing access, and monitoring logs are recommended to reduce the risk of data exposure and help maintain compliance with these standards.

Impact Analysis

This vulnerability allows an authenticated attacker to perform SQL injection attacks remotely, potentially leading to unauthorized access to sensitive patient data stored in the database.

Although the attack does not directly return data, the attacker can infer confidential information through boolean blind and error-based exfiltration techniques.

Such unauthorized data access can compromise patient privacy and the integrity of the healthcare system using Bahmni, leading to serious security and privacy risks.

Detection Guidance

The vulnerability involves SQL injection via the additionalParams argument in the Search Endpoint of Bahmni bahmnicore. Detection can involve auditing SQL Search access and monitoring logs for unusual activity that may indicate exploitation attempts.

Restricting access to trusted IP addresses and reviewing the use of the "High Risk Patients" search query global property can help identify potential misuse.

Specific commands are not provided in the resources, but general approaches include checking web server logs for suspicious requests to /openmrs/ws/rest/v1/bahmnicore/sql and using network monitoring tools to detect unusual SQL query patterns or injection attempts.

Mitigation Strategies

Immediate mitigation involves upgrading the bahmnicore component to one of the patched versions: 0.93.1, 1.0.1, 1.1.1, 1.2.1, 1.3.1, or 2.0.1.

If you are using Docker-based deployments, pull the updated Bahmni Docker images containing the security fixes and restart the services.

For legacy deployments, manually replace the bahmni-core OMOD file with the patched version (0.93.1) and restart the service.

Additionally, consider removing the "High Risk Patients" search query global property if it is unused, restrict access to trusted IP addresses, and audit SQL Search access to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15477. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart