Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences (e.g. `../`). An attacker with DICOM upload/export permission can write files outside the intended directory, potentially under the web root, leading to arbitrary file write and possibly remote code execution if PHP or other executable files can be written. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write potentially enabling remote code execution
Action: Immediate Patch
AI Analysis

Impact

OpenEMR encrypts DICOM folders into a zip file by directly using a user‑supplied path component without sanitization. The directory traversal sequences (e.g., "../") allow an attacker to place files outside the intended export directory. An attacker who can upload or export DICOM data can therefore write files to arbitrary locations, including the web root. If the written files contain executable code such as PHP scripts, this can lead to remote code execution. The weakness is a classic path‑traversal issue, classified as CWE‑22.

Affected Systems

The flaw exists in the openemr openemr electronic health records product before version 8.0.0.2. Users running any release of OpenEMR older than 8.0.0.2 that includes the DICOM zip/export feature are vulnerable. The affected functionality is the DICOM folder export that creates zip archives.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of public exploitation so far. The vulnerability is not listed in the CISA KEV catalog, but it can be leveraged by users with DICOM upload/export permissions, which may be a common role in clinical settings. An attacker would craft a DICOM file whose filename contains traversal sequences, upload it, then trigger an export to force the application to write the file outside the intended directory. No known public exploits are disclosed yet, but the attack path is straightforward if the necessary permissions are available. The official fix is to upgrade to OpenEMR 8.0.0.2 or later, where the path component is properly sanitized.

Generated by OpenCVE AI on March 20, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.2 or later.
  • If an upgrade is not immediately possible, remove DICOM upload/export permissions from users who do not need them.
  • Restrict write access to the web root directory and monitor for unexpected file creations.
  • Consider moving the OpenEMR installation outside of the served web directory to limit potential impact of file writes.

Generated by OpenCVE AI on March 20, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences (e.g. `../`). An attacker with DICOM upload/export permission can write files outside the intended directory, potentially under the web root, leading to arbitrary file write and possibly remote code execution if PHP or other executable files can be written. Version 8.0.0.2 fixes the issue.
Title OpenEMR Vulnerable to Path Traversal When Zipping DICOM Folders
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:35:07.323Z

Reserved: 2026-02-09T16:22:17.785Z

Link: CVE-2026-25928

cve-icon Vulnrichment

Updated: 2026-03-21T03:35:00.771Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T20:16:13.720

Modified: 2026-03-20T17:18:35.600

Link: CVE-2026-25928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:13Z

Weaknesses