CVE-2026-40076 Overview
CVE-2026-40076 is a Zip Slip path traversal vulnerability [CWE-22] in OpenMRS Core, an open source electronic medical record system platform. The flaw affects versions 2.7.8 and earlier, plus versions 2.8.0 through 2.8.5. The module upload REST endpoint at POST /openmrs/ws/rest/v1/module fails to properly normalize ZIP entry paths inside uploaded .omod archives. An authenticated attacker with module upload privileges can write arbitrary files outside the intended module directory, including the web application root, and achieve remote code execution by deploying a JSP file.
Critical Impact
Authenticated attackers can achieve remote code execution on OpenMRS servers by uploading a crafted .omod archive containing path traversal sequences, fully compromising patient health record systems.
Affected Products
- OpenMRS Core versions 2.7.8 and earlier (2.7.x line)
- OpenMRS Core versions 2.8.0 through 2.8.5
- Deployments relying on module.allow_web_admin runtime property as a control
Discovery Timeline
- 2026-05-06 - CVE-2026-40076 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-40076
Vulnerability Analysis
The vulnerability resides in WebModuleUtil.startModule(), which handles automatic extraction of uploaded .omod archives. OpenMRS modules are distributed as ZIP archives, and during extraction, ZIP entries under web/module/ are validated only by checking whether the full entry path begins with ... The remaining path is then concatenated into the destination path without normalization or canonical boundary verification.
A crafted archive can include entries such as web/module/../../../../malicious.jsp. Because the prefix check passes (the path starts with web/module/, not ..), extraction proceeds, and the relative traversal sequences resolve outside the intended module directory. Files can be written to the web application root, enabling JSP deployment and subsequent code execution through a simple HTTP request.
Root Cause
The root cause is incomplete input validation [CWE-22] on ZIP entry paths during archive extraction. The check examines only the start of the entry path string rather than computing the canonical destination path and confirming it remains within the target extraction directory. This is a textbook Zip Slip pattern.
A secondary defect compounds the impact: the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path. Administrators who disabled web-based module administration via this property remain exposed through /openmrs/ws/rest/v1/module.
Attack Vector
Exploitation requires authenticated access with module upload permissions. The attacker constructs an .omod archive containing ZIP entries with traversal sequences inside web/module/ paths, submits it to the REST module endpoint, and then issues an HTTP request to the dropped JSP file. Server-side execution occurs in the context of the OpenMRS application process, granting access to patient data, database credentials, and the underlying host.
The vulnerability is described in prose only; refer to the GitHub Security Advisory GHSA-78fc-9688-w8xw for technical details.
Detection Methods for CVE-2026-40076
Indicators of Compromise
- Unexpected .jsp files appearing under the OpenMRS web application root or WEB-INF directories outside the legitimate module folder structure.
- POST requests to /openmrs/ws/rest/v1/module from non-administrative source addresses or at unusual hours.
- Newly created files with timestamps matching recent module upload events but located outside modules/ and web/module/ directories.
- Outbound network connections originating from the Tomcat or Java application server process shortly after module upload activity.
Detection Strategies
- Inspect .omod uploads at a web application firewall and reject archives whose ZIP entries contain .. sequences anywhere in the path.
- Audit OpenMRS access logs for POST requests to the module REST endpoint, correlating uploader identity with subsequent GET requests to newly created .jsp resources.
- Monitor file integrity on the OpenMRS web application directory tree to detect writes outside expected module subdirectories.
Monitoring Recommendations
- Enable verbose logging on the module upload endpoint and forward events to a centralized log platform for correlation.
- Alert on Java process spawning shell interpreters (sh, bash, cmd.exe) following module upload activity.
- Track creation of executable web content (.jsp, .jspx, .class) anywhere outside known module installation paths.
How to Mitigate CVE-2026-40076
Immediate Actions Required
- Upgrade OpenMRS Core to a version released after 2.7.8 in the 2.7.x line, or to 2.8.6 or later in the 2.8.x line.
- Audit accounts with module upload privileges and remove this permission from any user that does not require it.
- Review the OpenMRS web application directory for unauthorized .jsp or other executable files dropped outside legitimate module paths.
- Rotate database credentials, API keys, and session secrets if compromise is suspected.
Patch Information
The issue is fixed in OpenMRS Core versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later. Patch details and fix commits are documented in the OpenMRS GitHub Security Advisory GHSA-78fc-9688-w8xw.
Workarounds
- Restrict network access to /openmrs/ws/rest/v1/module using a reverse proxy or WAF rule until patching is complete.
- Revoke module upload privileges from all accounts as an interim control, since the module.allow_web_admin property does not protect the REST endpoint.
- Place the OpenMRS application server behind authenticated VPN access to limit the authenticated attack surface.
- Deploy ZIP archive scanning at the upload boundary to reject any archive containing entries with .. traversal sequences.
# Example reverse proxy rule (nginx) to block the REST module upload endpoint
location /openmrs/ws/rest/v1/module {
if ($request_method = POST) {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
