CVE-2026-24849 Overview
OpenEMR is a widely-deployed free and open source electronic health records (EHR) and medical practice management application used by healthcare organizations worldwide. A Path Traversal vulnerability (CWE-22) has been identified in versions prior to 7.0.4 that allows authenticated users to read arbitrary files from the server filesystem.
The vulnerability exists in the disposeDocument() method within EtherFaxActions.php. Any authenticated user, regardless of their privilege level within the OpenEMR system, can exploit this vulnerability to access sensitive files that should be protected from unauthorized access. Given that OpenEMR handles protected health information (PHI) and other sensitive medical data, this vulnerability poses significant risks to patient privacy and organizational security.
Critical Impact
Authenticated users can read arbitrary files from the server filesystem, potentially exposing sensitive patient data, configuration files with database credentials, and other critical system information in healthcare environments.
Affected Products
- OpenEMR versions prior to 7.0.4
- open-emr openemr (all versions before patched release)
Discovery Timeline
- 2026-02-25 - CVE-2026-24849 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-24849
Vulnerability Analysis
This Path Traversal vulnerability allows authenticated attackers to bypass intended file access restrictions and read arbitrary files from the server filesystem. The flaw resides in the disposeDocument() method in EtherFaxActions.php, which fails to properly validate user-supplied file paths before processing file read operations.
The attack can be executed remotely over the network and requires only low privileges—any authenticated user account is sufficient, regardless of their assigned role or permissions within the OpenEMR application. No user interaction is required to exploit this vulnerability, making it particularly dangerous in multi-user healthcare environments where various staff members may have legitimate but limited access to the system.
The primary impact is a complete breach of confidentiality for any file readable by the web server process. In healthcare environments, this could include patient medical records, billing information, prescription data, and system configuration files containing database credentials or API keys.
Root Cause
The root cause of CVE-2026-24849 is improper input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the disposeDocument() method. The function accepts user-controlled input for file path parameters without adequately sanitizing path traversal sequences such as ../ or absolute paths.
When processing file requests, the vulnerable code constructs file paths using unsanitized user input, allowing attackers to traverse outside the intended directory structure and access files elsewhere on the filesystem. The lack of canonicalization and path validation enables this directory traversal attack.
Attack Vector
The attack is network-based and can be executed by any authenticated user. An attacker would:
- Authenticate to the OpenEMR application with any valid user credentials
- Craft a malicious request to the disposeDocument() method containing path traversal sequences
- The server processes the request without proper validation
- Sensitive files outside the intended directory are returned to the attacker
The related security commit also addresses SSL verification issues that were part of the broader security update:
public function checkError($xml)
{
+ $httpVerifySsl = (bool) ($GLOBALS['http_verify_ssl'] ?? true);
$curlHandler = curl_init($xml);
$sitePath = $this->getGlobals()->getOpenEMRSiteDirectory();
$data = ['RxInput' => $xml];
curl_setopt($curlHandler, CURLOPT_URL, $this->getGlobals()->getPath());
curl_setopt($curlHandler, CURLOPT_POST, 1);
curl_setopt($curlHandler, CURLOPT_POSTFIELDS, 'RxInput=' . $xml);
- curl_setopt($curlHandler, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_setopt($curlHandler, CURLOPT_SSL_VERIFYPEER, $httpVerifySsl);
curl_setopt($curlHandler, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curlHandler, CURLOPT_COOKIESESSION, true);
curl_setopt($curlHandler, CURLOPT_COOKIEFILE, $sitePath . '/newcrop-cookiefile');
Source: GitHub Commit Update
Detection Methods for CVE-2026-24849
Indicators of Compromise
- Web server access logs showing requests to EtherFaxActions.php with path traversal patterns (e.g., ../, ..%2f, ..%252f)
- Unusual file access attempts in web application logs targeting sensitive system files like /etc/passwd, configuration files, or patient data directories
- HTTP requests containing encoded directory traversal sequences in parameters directed at the disposeDocument() endpoint
- Audit logs showing authenticated users accessing files outside their normal operational scope
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Configure intrusion detection systems (IDS) to alert on requests containing directory traversal sequences targeting OpenEMR endpoints
- Enable detailed application logging and monitor for anomalous file access patterns, particularly requests to EtherFaxActions.php
- Deploy file integrity monitoring on sensitive directories to detect unauthorized access attempts
Monitoring Recommendations
- Enable verbose logging in OpenEMR and regularly review logs for suspicious activity related to document handling functions
- Monitor web server access logs for repeated requests with encoded path characters targeting the vulnerable endpoint
- Implement alerting on any access attempts to sensitive system files from web application processes
- Conduct regular log analysis focusing on authenticated user sessions that show unusual file access patterns
How to Mitigate CVE-2026-24849
Immediate Actions Required
- Upgrade OpenEMR to version 7.0.4 or later immediately
- Audit user accounts and remove unnecessary access privileges while awaiting patching
- Review access logs for any evidence of prior exploitation attempts
- Implement additional network segmentation to limit exposure of OpenEMR servers
- Consider temporarily restricting access to the EtherFaxActions.php functionality if not business-critical
Patch Information
OpenEMR has released version 7.0.4 which addresses this vulnerability. The security fix is available in commit 22f8e53e5769a88b7a16cb223bd197d044c84e5a. Organizations should update to the patched version as soon as possible.
For detailed patch information, refer to the GitHub Security Advisory and the GitHub Commit Update.
Workarounds
- Restrict network access to OpenEMR servers using firewall rules to limit exposure to trusted networks only
- Implement a Web Application Firewall (WAF) with rules to block path traversal patterns in requests
- Disable or restrict access to the EtherFax functionality at the web server level if not required for operations
- Apply principle of least privilege by reviewing and restricting user accounts to minimum necessary permissions
# Example Apache configuration to restrict access to vulnerable endpoint
<LocationMatch "/interface/modules/custom_modules/oe-module-faxsms/src/Actions/EtherFaxActions.php">
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
Require ip 192.168.0.0/16
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
