OpenMRS Module Upload Path Traversal Vulnerability

OpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the POST /openmrs/ws/rest/v1/module endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted .omod archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the WebModuleUtil.startModule() function, an oversight compared to other extraction methods within the same codebase that are properly protected.

Attack Chain

1. The attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.
2. The attacker crafts a malicious .omod file containing a ZIP entry with a path traversal payload, such as web/module/../../../../<target_filename>.jsp.
3. The attacker sends a POST request to the /openmrs/ws/rest/v1/module endpoint, uploading the malicious .omod file.
4. The server receives the request and parses the uploaded .omod file, treating it as a ZIP archive.
5. During module loading via WebModuleUtil.startModule(), the server extracts entries under the web/module/ directory.
6. Due to an incomplete check, the entry web/module/../../../../<target_filename>.jsp passes the initial validation.
7. The server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended WEB-INF/view/module/ directory.
8. If the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).

Impact

Successful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS’s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.

Recommendation

• Apply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.
• Deploy the Sigma rule Detect OpenMRS Malicious Module Upload to identify exploitation attempts based on HTTP requests to the /openmrs/ws/rest/v1/module endpoint with suspicious file extensions in the query parameters.
• Enable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.
• Monitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule Detect JSP File Creation in Web Application Root as a starting point.
• Enforce the module.allow_web_admin restriction consistently across all module upload entry points, including the REST API to prevent bypass.