PatchSiren cyber security CVE debrief
CVE-2026-41258 openmrs CVE debrief
A critical remote code execution vulnerability exists in OpenMRS Core versions 2.7.0 through 2.7.8 and 2.8.0 through 2.8.5. The ConceptReferenceRangeUtility.evaluateCriteria() method evaluates database-stored criteria strings as Apache Velocity templates without sandboxing. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default UberspectImpl in place, which permits unrestricted Java reflection through template expressions. A user with the Manage Concepts privilege can store a malicious Velocity template expression in a concept's reference range criteria field. This payload executes automatically whenever a user or API call validates an observation against the affected concept. The Velocity context exposes $patient (the Person/Patient object), $obs (the Obs object), and $fn (the ConceptReferenceRangeUtility instance with access to the full OpenMRS service layer). This vulnerability is fixed in versions 2.7.9 and 2.8.6.
- Vendor
- openmrs
- Product
- openmrs-core
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Healthcare organizations running OpenMRS electronic medical record systems; OpenMRS administrators and developers; security teams responsible for medical record system security; compliance officers overseeing HIPAA and healthcare data protection
Technical summary
The vulnerability stems from unsafe Velocity template evaluation in ConceptReferenceRangeUtility.evaluateCriteria(). The method processes criteria strings stored in the database as Velocity templates without implementing a secure sandbox. The VelocityEngine configuration lacks noSecureUberspector, retaining the default UberspectImpl that enables arbitrary Java reflection. Attackers with Manage Concepts privileges can inject malicious Velocity expressions (e.g., using $fn or reflection via the default UberspectImpl) into concept reference range criteria. These expressions execute in the context of observation validation, exposing patient data ($patient), observation data ($obs), and full service layer access ($fn). The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H reflects network attack vector, low complexity, high privileges required, no user interaction, changed scope, and high impacts to confidentiality, integrity, and availability.
Defensive priority
critical
Recommended defensive actions
- Upgrade OpenMRS Core to version 2.7.9 or 2.8.6 or later
- Restrict Manage Concepts privilege to only trusted administrative users
- Audit concept reference range criteria fields for suspicious Velocity template expressions
- Monitor application logs for unusual Velocity template execution patterns
- Review and validate all custom concept reference range configurations
- Implement network segmentation to limit exposure of OpenMRS instances to untrusted networks
Evidence notes
CVE published 2026-05-15; modified 2026-05-18. CVSS 3.1 score 9.1 (Critical). CWE-94: Improper Control of Generation of Code ('Code Injection'). Affected versions: 2.7.0 to before 2.7.9, and 2.8.0 to before 2.8.6. Fixed in 2.7.9 and 2.8.6.
Official resources
-
CVE-2026-41258 CVE record
CVE.org
-
CVE-2026-41258 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-15