CVE-2026-40076

Name of the Vulnerable Software and Affected Versions OpenMRS Core versions prior to 2.7.9 OpenMRS Core versions 2.8.0 through 2.8.5

Description The module upload endpoint 'POST /openmrs/ws/rest/v1/module' is susceptible to a Zip Slip path traversal attack. This occurs during the automatic extraction of uploaded .omod archives within the startModule() function of WebModuleUtil. The system only verifies if the full entry path starts with .., failing to normalize the path or perform boundary checks on entries starting with web/module/. Consequently, a crafted archive containing entries such as web/module/../../../../malicious.jsp can result in files being written outside the intended module directory.

An authenticated attacker with module upload permissions can write arbitrary files to locations like the web application root. By uploading a JSP file and requesting it, the attacker can achieve remote code execution. Additionally, the module.allow web admin runtime property, intended to restrict web-based module administration, is not enforced in the REST API upload path, allowing the restriction to be bypassed.

Recommendations Update OpenMRS Core to a version after 2.7.8 in the 2.7.x line. Update OpenMRS Core to version 2.8.6 or later. As a temporary mitigation, restrict access to the 'POST /openmrs/ws/rest/v1/module' endpoint to minimize the risk of exploitation.