CVE-2026-25928 Overview
OpenEMR, a widely-used free and open source electronic health records (EHR) and medical practice management application, contains a path traversal vulnerability in its DICOM zip/export feature. Prior to version 8.0.0.2, the application fails to properly sanitize user-supplied destination or path components when creating zip files. This allows attackers with DICOM upload/export permissions to write files outside the intended directory by using path traversal sequences (e.g., ../), potentially enabling arbitrary file write and remote code execution.
Critical Impact
Authenticated attackers can exploit this path traversal vulnerability to write arbitrary files to the web server, potentially leading to remote code execution if executable files such as PHP scripts can be written to accessible locations.
Affected Products
- OpenEMR versions prior to 8.0.0.2
- OpenEMR DICOM zip/export feature
- Healthcare systems running vulnerable OpenEMR installations
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-25928 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-25928
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in the DICOM file handling functionality where the application processes user-uploaded files without properly sanitizing the filename components.
When users upload DICOM files through the export feature, the application uses the user-supplied filename directly when creating files in the temporary directory. The lack of path traversal sequence filtering allows malicious actors to craft filenames containing ../ sequences that escape the intended directory structure.
The vulnerability requires network access and authenticated user privileges (specifically DICOM upload/export permissions), but once these conditions are met, exploitation can lead to high-impact integrity violations through arbitrary file writes.
Root Cause
The root cause lies in the C_Document.class.php controller, which processes uploaded DICOM files without stripping directory components from filenames. The original code used the raw $_FILES['dicom_folder']['name'] value directly when constructing file paths, allowing attackers to include path traversal sequences that would navigate outside the intended temporary_files_dir directory.
Attack Vector
An attacker with valid DICOM upload/export permissions can craft a malicious filename containing path traversal sequences. When processing the upload, the vulnerable code constructs a file path using the unsanitized filename, allowing the attacker to write files to arbitrary locations on the server filesystem. If the attacker can write to a web-accessible directory, they could upload a PHP webshell or other executable content to achieve remote code execution.
The following patch demonstrates how the vulnerability was addressed by adding the basename() function to strip directory components:
$zip_name = $GLOBALS['temporary_files_dir'] . "/" . $study_name;
if ($zip->open($zip_name, (ZipArchive::CREATE | ZipArchive::OVERWRITE)) === true) {
foreach ($_FILES['dicom_folder']['name'] as $i => $name) {
+ // Strip directory components to prevent path traversal.
+ $name = basename((string) $name);
$zfn = $GLOBALS['temporary_files_dir'] . "/" . $name;
- $fparts = pathinfo((string) $name);
+ $fparts = pathinfo($name);
if (empty($fparts['extension'])) {
// viewer requires lowercase.
$fparts['extension'] = "dcm";
Source: GitHub Commit Update
Detection Methods for CVE-2026-25928
Indicators of Compromise
- Unusual file creation events in directories outside the DICOM temporary folder
- Files with suspicious extensions (e.g., .php, .phtml) appearing in web-accessible directories
- DICOM upload requests containing path traversal sequences (../, ..%2F, %2e%2e/) in filename parameters
- Web server access logs showing requests to unexpected PHP files in image or temporary directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences in HTTP POST requests to DICOM upload endpoints
- Monitor file integrity of web root directories and alert on creation of new executable files
- Enable and review OpenEMR application logs for anomalous DICOM export activity from unusual user accounts
- Deploy endpoint detection rules to identify file write operations that traverse parent directories
Monitoring Recommendations
- Configure real-time alerting for file creation events in web-accessible directories on OpenEMR servers
- Implement user behavior analytics to detect accounts with DICOM permissions exhibiting unusual upload patterns
- Regularly audit user accounts with DICOM upload/export permissions and remove unnecessary access
- Monitor system file integrity using tools that can detect unauthorized changes to web server directories
How to Mitigate CVE-2026-25928
Immediate Actions Required
- Upgrade OpenEMR to version 8.0.0.2 or later immediately
- Audit DICOM upload permissions and restrict access to only essential personnel
- Review web server directories for any unauthorized files that may have been written by attackers
- Implement temporary WAF rules to block path traversal sequences in DICOM upload requests until patching is complete
Patch Information
OpenEMR has released version 8.0.0.2 which addresses this vulnerability by implementing proper input sanitization using the basename() function to strip directory components from uploaded filenames. The fix is available in commit ddcf04ea769a33cdc1932355224575478df70585. Organizations should upgrade to this version or apply the security patch as soon as possible.
For detailed patch information, refer to the GitHub Security Advisory GHSA-rppw-f689-6hrm and the GitHub Commit Update.
Workarounds
- Temporarily disable DICOM upload/export functionality until the patch can be applied
- Restrict DICOM upload permissions to a minimum number of trusted users
- Configure web server to prevent execution of scripts in temporary and upload directories
- Implement network segmentation to limit access to OpenEMR administrative functions
# Example: Disable PHP execution in OpenEMR temporary directory (Apache)
# Add to .htaccess or virtual host configuration
<Directory "/var/www/openemr/sites/*/documents/temp">
php_flag engine off
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
