CVE-2026-40075 is a path traversal vulnerability (CWE-22) in the openmrs-core platform affecting versions <= 2.7.8 and 2.8.0 through 2.8.5. The vulnerability exists in the ModuleResourcesServlet at the /openmrs/moduleResources/{moduleid} endpoint, which constructs filesystem paths from user-controlled input without normalization or path boundary validation. This allows unauthenticated attackers to traverse directories and read arbitrary files on the server filesystem, including sensitive files such as /etc/passwd and configuration files with database credentials. Exploitation depends on the underlying Apache Tomcat version; versions prior to 8.5.31 do not mitigate the ..; path parameter bypass, while Tomcat 8.5.31 and later provide container-level protection. The vulnerability is resolved in openmrs-core versions after 2.7.8 and in 2.8.6 and later.

Successful exploitation allows unauthenticated attackers to read arbitrary files on the server hosting openmrs-core, potentially exposing sensitive system and application data such as user account information and database credentials. This can lead to further compromise of the system or data breaches. The impact is high due to the unauthenticated nature of the vulnerability and the sensitivity of accessible files. However, the risk is mitigated if the deployment uses Apache Tomcat 8.5.31 or later, which blocks the path traversal at the container level.

Upgrade openmrs-core to a fixed version: any version after 2.7.8 in the 2.7.x branch or version 2.8.6 and later. Additionally, ensure that the Apache Tomcat server is updated to version 8.5.31 or later, which provides container-level mitigation against the path traversal bypass. If upgrading openmrs-core is not immediately possible, upgrading Tomcat to a patched version can reduce risk. Patch status is not explicitly stated in the vendor advisory, but the fix is included in the specified versions. No other mitigations are indicated.