Overview
A critical-severity remote code execution vulnerability has been disclosed in OpenMRS Core, the widely deployed open-source electronic medical record platform. The flaw, tracked as CVE-2026-41258 with a CVSS score of 9.1, stems from the evaluation of database-stored strings as unsandboxed Apache Velocity templates in the ConceptReferenceRangeUtility.evaluateCriteria() method.
Technical Details
The ConceptReferenceRangeUtility.evaluateCriteria() method retrieves criteria strings from the OpenMRS database and passes them directly to the Apache Velocity template engine without any sandbox configuration. This allows an attacker who can influence these database-stored criteria — through legitimate application features or a prior SQL injection — to inject and execute arbitrary Velocity template expressions on the server.
Apache Velocity templates have access to the JVM runtime environment by default when no SecureUberspector or similar sandbox is enforced. This makes it possible to chain template directives to spawn system processes, read files, or establish reverse shells.
Attack chain:
- Attacker gains access to modify concept reference range criteria (authenticated role or secondary injection)
- Malicious Velocity template directive inserted into the criteria string
- OpenMRS Core evaluates the stored string server-side via Velocity
- Arbitrary code executes with the privileges of the OpenMRS application server
Affected Versions
| Branch | Affected Range | Fixed In |
|---|---|---|
| 2.7.x | 2.7.0 – 2.7.8 | 2.7.9 |
| 2.8.x | 2.8.0 – 2.8.5 | 2.8.6 |
Versions prior to 2.7.0 may also be affected but have not been assessed.
Impact
OpenMRS is used extensively across low- and middle-income countries for hospital and clinic patient management, often handling sensitive protected health information (PHI). Successful exploitation could result in:
- Full server compromise and lateral movement within the hospital network
- Exfiltration of patient records including diagnoses, medications, and personally identifiable information
- Ransomware deployment against healthcare infrastructure
- Disruption of clinical operations
Remediation
Upgrade immediately to the patched releases:
- OpenMRS Core 2.7.9 or later
- OpenMRS Core 2.8.6 or later
If an immediate upgrade is not possible, consider the following mitigations:
- Restrict database-level write access to the concept reference range tables to trusted administrative accounts only
- Enable database auditing to detect unauthorized modifications to criteria strings
- Apply network segmentation to limit the attack surface around the OpenMRS application server
- Monitor application logs for unexpected Velocity template evaluation errors