Description
OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation — the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation.

An attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later.
Published: 2026-05-05
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in the ModuleResourcesServlet of OpenMRS Core, allowing an attacker to construct a file path that escapes the intended module resources directory. By sending a specially crafted request to the "/openmrs/moduleResources/{moduleid}" endpoint, an unauthenticated adversary can read any file on the server file system, including sensitive configuration files and "/etc/passwd". This weakness exists because the servlet concatenates user input without normalization or boundary checking, a classic example of CWE-22.

Affected Systems

OpenMRS Core is affected, specifically vulnerability applies to versions 2.7.8 and earlier, and 2.8.0 through 2.8.5. The flaw was fixed in the 2.7.x series after 2.7.8 and in the 2.8.x series after 2.8.5.

Risk and Exploitability

The CVSS score of 8.2 reflects moderate to high risk. The exploit can be performed over an unauthenticated HTTP connection, provided the deployment uses Apache Tomcat versions prior to 8.5.31 or prior to 9.0.10, where a known Tomcat path‑parameter bypass exists. Deployments on Tomcat 8.5.31 and later or Tomcat 9.0.10 and later are protected at the container level, but the underlying code defect remains. The vulnerability is not listed in the CISA KEV catalog and no EPSS score is available, but the lack of authentication combined with simple path manipulation makes exploitation relatively straightforward under the conditions described.

Generated by OpenCVE AI on May 5, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenMRS to 2.7.9 or later within the 2.7.x branch, or to 2.8.6 or later in the 2.8.x branch
  • If upgrade is not immediately possible, restrict access to the /openmrs/moduleResources endpoint by adding authentication filters or moving the servlet behind a protected route
  • Ensure the application runs on Apache Tomcat 8.5.31+ or Tomcat 9.0.10+ to mitigate the container‑level bypass and monitor logs for suspicious traversal attempts

Generated by OpenCVE AI on May 5, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjgj-cx3q-pw4w OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read
History

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation — the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation. An attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later.
Title OpenMRS Core arbitrary file read via path traversal in ModuleResourcesServlet
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T21:25:41.993Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40075

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T22:16:00.520

Modified: 2026-05-05T22:16:00.520

Link: CVE-2026-40075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:30:33Z

Weaknesses