Description
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax sending endpoint allows any authenticated user to read and transmit any file on the server (including database credentials, patient documents, system files, and source code) via fax to an attacker-controlled phone number. The vulnerability exists because the endpoint accepts arbitrary file paths from user input and streams them to the fax gateway without path restrictions or authorization checks. As of time of publication, no known patched versions are available.
Published: 2026-02-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Exfiltration
Action: Assess Impact
AI Analysis

Impact

The vulnerability allows an authenticated user to specify any file path in the fax sending endpoint, which the application then streams directly to a fax gateway. This results in the attacker being able to read and send any file on the server—including database credentials, patient documents, system files, and source code—to an external phone number, thereby compromising confidentiality. The weakness is a classic path traversal flaw, classified as CWE-22.

Affected Systems

The flaw exists in OpenEMR versions up to and including 8.0.0. Users running any of those releases are potentially exposed; no patched releases are currently available.

Risk and Exploitability

Based on the CVSS score of 6.5, the vulnerability carries moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the near term. The failure is not listed in the CISA KEV catalog, so there is no evidence of active exploitation. The attack vector requires the attacker to be an authenticated user, so the adversary must first compromise user credentials or gain legitimate access to the system. Once authenticated, the attacker can exploit the fax endpoint to exfiltrate any filepath supplied.

Generated by OpenCVE AI on April 16, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to a version released after 8.0.0 once the vendor supplies a fix.
  • If upgrade is unavailable, disable or restrict the fax endpoint for all users except administrators and enforce strict path validation.
  • Implement a whitelist or enforce relative path restrictions before streaming files to the fax gateway to prevent arbitrary read access.

Generated by OpenCVE AI on April 16, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax sending endpoint allows any authenticated user to read and transmit any file on the server (including database credentials, patient documents, system files, and source code) via fax to an attacker-controlled phone number. The vulnerability exists because the endpoint accepts arbitrary file paths from user input and streams them to the fax gateway without path restrictions or authorization checks. As of time of publication, no known patched versions are available.
Title OpenEMR Vulnerable to Arbitrary File Exfiltration via Fax Endpoint
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:27:12.987Z

Reserved: 2026-01-23T00:38:20.548Z

Link: CVE-2026-24488

cve-icon Vulnrichment

Updated: 2026-02-27T18:27:08.668Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T17:16:30.497

Modified: 2026-03-03T18:48:01.753

Link: CVE-2026-24488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses