CVE-2026-40075

Name of the Vulnerable Software and Affected Versions OpenMRS Core versions prior to 2.7.9 OpenMRS Core versions 2.8.0 through 2.8.5

Description The '/openmrs/moduleResources/{moduleid}' endpoint is susceptible to a path traversal attack. This occurs because the ModuleResourcesServlet uses the getFile() function to construct a filesystem path from user-supplied input without performing path boundary validation or using the normalize() method to ensure the result remains within the intended directory. Since this endpoint provides static resources for the login page, it bypasses authentication filters, allowing unauthenticated attackers to read arbitrary files from the server filesystem, such as '/etc/passwd' and configuration files containing database credentials. Successful exploitation depends on the server running Apache Tomcat versions prior to 8.5.31, as later versions (8.5.31+ and 9.0.10+) mitigate the ..; path parameter bypass at the container level.

Recommendations Update OpenMRS Core to a version after 2.7.8 within the 2.7.x branch. Update OpenMRS Core to version 2.8.6 or later. As a temporary mitigation, restrict access to the '/openmrs/moduleResources/{moduleid}' endpoint or ensure the application is deployed on Apache Tomcat 8.5.31 or 9.0.10 and later.