Description
OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory.

An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later.
Published: 2026-05-06
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenMRS Core 2.7.8 and earlier, and 2.8.0 through 2.8.5, allow an authenticated attacker to exploit a Zip Slip path traversal condition when uploading .omod modules. The extraction routine concatenates the ZIP entry path directly into the destination without normalization, enabling crafted entries such as "web/module/../../../../malicious.jsp" to write files outside the intended module directory. An attacker who can upload a module can thus place arbitrary files in the web application root and trigger remote code execution by uploading a JSP and accessing it. The flaw also bypasses the module.allow_web_admin property for the REST API, meaning configurations that disable web‑based module administration do not protect this endpoint.

Affected Systems

Affected vendor is OpenMRS Core with product name OpenMRS Core; versions 2.7.8 and earlier, and 2.8.0 to 2.8.5 are vulnerable. Fixes are available in all subsequent versions, including 2.8.6 and later.

Risk and Exploitability

The CVSS score of 9.4 indicates a high severity vulnerability, and while an EPSS score is not provided, the lack of CISA KEV listing does not diminish the risk. The attack vector is inferred to be remote, requiring access to the REST API endpoint POST "/openmrs/ws/rest/v1/module" and valid authentication with module upload privileges. The vulnerability is trivial to exploit once the prerequisites are met, as the exploit merely requires uploading a crafted archive. Compounding factors include the ignored module.allow_web_admin setting, meaning deployments that rely on that property for security remain exposed.

Generated by OpenCVE AI on May 6, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenMRS Core to version 2.8.6 or later to apply the vendor patch that validates ZIP paths.
  • Restrict or disable the /openmrs/ws/rest/v1/module endpoint if an upgrade is not immediately feasible, ensuring that only the least privileged accounts can reach it.
  • Configure the web server to prevent execution of uploaded JSPs in the module directory or relocate the upload location outside the web root to mitigate the impact of any remaining write capability.

Generated by OpenCVE AI on May 6, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-78fc-9688-w8xw OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)
History

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory. An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later.
Title OpenMRS Core arbitrary file write and code execution via Zip Slip in module upload
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T19:32:13.851Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T20:16:31.727

Modified: 2026-05-06T20:16:31.727

Link: CVE-2026-40076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T20:45:05Z

Weaknesses