CVE-2026-40075 Overview
CVE-2026-40075 is a path traversal vulnerability [CWE-22] in OpenMRS Core, an open source electronic medical record system platform. The flaw exists in the /openmrs/moduleResources/{moduleid} endpoint, which is served by ModuleResourcesServlet. Because this endpoint serves static resources for the login page, it bypasses authentication filters, allowing unauthenticated attackers to read arbitrary files from the server filesystem. Affected versions include OpenMRS Core 2.7.8 and earlier, plus 2.8.0 through 2.8.5.
Critical Impact
Unauthenticated remote attackers can read arbitrary files including /etc/passwd and application configuration files containing database credentials.
Affected Products
- OpenMRS Core versions 2.7.8 and earlier (within the 2.7.x branch)
- OpenMRS Core versions 2.8.0 through 2.8.5
- Deployments running on Apache Tomcat versions prior to 8.5.31 or 9.0.10
Discovery Timeline
- 2026-05-05 - CVE-2026-40075 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-40075
Vulnerability Analysis
The vulnerability resides in the getFile() method of ModuleResourcesServlet. The method constructs a filesystem path by concatenating user-supplied input from the URL into an absolute filesystem path. The implementation does not call normalize() on the resulting path, nor does it validate that the resolved path remains within the allowed module resources directory.
Because /openmrs/moduleResources/{moduleid} is required to render the login page, OpenMRS exempts the endpoint from authentication filters. Unauthenticated attackers can therefore reach the vulnerable code path directly.
Root Cause
The root cause is missing path boundary validation. The servlet trusts URL path segments as safe input and concatenates them into a filesystem location without canonicalization. Standard defenses such as resolving the canonical path and verifying it starts with the intended base directory are absent. This is a classic [CWE-22] Improper Limitation of a Pathname to a Restricted Directory flaw.
Attack Vector
An attacker sends an HTTP request to /openmrs/moduleResources/{moduleid} containing traversal sequences in the path. Successful exploitation requires the target to run on Apache Tomcat versions prior to 8.5.31 or 9.0.10, where the ..; path parameter bypass is not mitigated by the container.
Once the traversal sequence reaches the servlet, the unsanitized concatenation allows the attacker to escape the module resources directory and reference any file readable by the Tomcat process. Targets typically include /etc/passwd, openmrs-runtime.properties, and other configuration files containing database credentials, which can be leveraged for follow-on attacks against the medical record database. The vulnerability mechanism is documented in the OpenMRS GitHub Security Advisory.
Detection Methods for CVE-2026-40075
Indicators of Compromise
- HTTP requests to /openmrs/moduleResources/ containing ..;, ..%2f, ..%5c, or repeated ../ traversal sequences
- Tomcat access log entries showing 200 responses to /moduleResources/ URLs that return non-resource content types
- Unexpected reads of /etc/passwd, openmrs-runtime.properties, or other configuration files by the Tomcat process user
Detection Strategies
- Inspect web server and reverse proxy logs for path traversal patterns targeting the moduleResources endpoint
- Correlate large or unusual response payloads from /openmrs/moduleResources/ with originating IP addresses
- Deploy Web Application Firewall (WAF) rules that flag ..; path parameter sequences against OpenMRS endpoints
Monitoring Recommendations
- Enable verbose access logging on the OpenMRS Tomcat instance and forward logs to a centralized SIEM
- Alert on file reads outside the OpenMRS application directory by the Tomcat service account
- Monitor outbound connections from the OpenMRS host that follow successful traversal requests, indicating credential abuse
How to Mitigate CVE-2026-40075
Immediate Actions Required
- Upgrade OpenMRS Core to a fixed release, available in versions after 2.7.8 in the 2.7.x branch and version 2.8.6 or later
- Upgrade Apache Tomcat to 8.5.31 or 9.0.10 or later to block the ..; path parameter bypass at the container level
- Rotate any database credentials and secrets stored in openmrs-runtime.properties if exposure is suspected
Patch Information
The OpenMRS maintainers fixed the path boundary validation defect in releases after 2.7.8 within the 2.7.x branch and in version 2.8.6 and later. Patch details are available in the OpenMRS GitHub Security Advisory GHSA-jjgj-cx3q-pw4w.
Workarounds
- Deploy on Apache Tomcat 8.5.31 or 9.0.10 or later, which mitigates the ..; bypass at the container level even if the underlying code defect remains
- Place a reverse proxy or WAF in front of OpenMRS to reject requests containing ..;, encoded traversal sequences, or null bytes in the path
- Restrict filesystem permissions for the Tomcat service account so sensitive files such as /etc/passwd and configuration files are not readable
# Example WAF/nginx rule blocking traversal patterns on the vulnerable endpoint
location /openmrs/moduleResources/ {
if ($request_uri ~* "(\.\./|\.\.;|%2e%2e%2f|%2e%2e/)") {
return 403;
}
proxy_pass http://openmrs_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
