Description
OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default UberspectImpl in place, which allows unrestricted Java reflection through template expressions. A user with the Manage Concepts privilege can store a malicious Velocity template expression in a concept's reference range criteria field. This payload is then executed automatically whenever a user or API call validates an observation against the affected concept. The Velocity context exposes $patient (the Person / Patient object), $obs (the Obs object), and $fn (the ConceptReferenceRangeUtility instance with access to the full OpenMRS service layer). This vulnerability is fixed in 2.7.9 and 2.8.6.
Published: 2026-05-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in OpenMRS Core is a stored Velocity SSTI flaw (CWE-94) that allows an attacker with the Manage Concepts privilege to store a malicious Velocity template expression in a concept’s reference range criteria field. Based on the description, it is inferred that the attacker must have Manage Concepts privilege to exploit the vulnerability. When the application later validates an observation against that concept, the stored template is rendered with unrestricted access to Java reflection. This creates a stored Velocity template injection that can be leveraged for remote code execution on the server.

Affected Systems

OpenMRS Core versions from 2.7.0 through 2.7.8 and all 2.8.x releases prior to 2.8.6 are vulnerable. The fix was applied in 2.7.9 and 2.8.6.

Risk and Exploitability

The CVSS score of 9.1 marks this flaw as critical. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of sandboxing combined with full Java reflection gives the attacker a powerful attack vector whenever an observation validation occurs. Based on the description, it is inferred that the attacker must control a concept; once they do, they can download or modify code, read sensitive data, and elevate privileges. The attack is essentially local to users with Manage Concepts rights but leads to system compromise. Given the severity and the expansive impact, prompt remediation is essential.

Generated by OpenCVE AI on May 15, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenMRS Core 2.7.9 or newer, which removes the vulnerable Velocity evaluation path.
  • If an upgrade cannot be performed immediately, restrict or disable the Manage Concepts privilege for all but a small trusted group of administrators.
  • Consider hardening the Velocity engine in the configuration by disabling the default Uberspector or enabling a sandbox to prevent reflection access.
  • Monitor application logs for suspicious template execution patterns and ensure that no unauthorized assets are loaded during observation validation.

Generated by OpenCVE AI on May 15, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xj4f-8jjg-vx4q OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange
History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default UberspectImpl in place, which allows unrestricted Java reflection through template expressions. A user with the Manage Concepts privilege can store a malicious Velocity template expression in a concept's reference range criteria field. This payload is then executed automatically whenever a user or API call validates an observation against the affected concept. The Velocity context exposes $patient (the Person / Patient object), $obs (the Obs object), and $fn (the ConceptReferenceRangeUtility instance with access to the full OpenMRS service layer). This vulnerability is fixed in 2.7.9 and 2.8.6.
Title OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRange
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T16:40:36.115Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41258

cve-icon Vulnrichment

Updated: 2026-05-15T16:40:22.907Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:46.463

Modified: 2026-05-15T17:16:46.463

Link: CVE-2026-41258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T19:00:07Z

Weaknesses