OpenMRS RCE: Critical Vulnerability Allows Unrestricted Java Reflection

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-94
OpenMRS RCE: Critical Vulnerability Allows Unrestricted Java Reflection

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-41258, has been identified in OpenMRS Core, an open-source electronic medical record system platform. According to the National Vulnerability Database, versions 2.7.0 through 2.7.8, and 2.8.0 through 2.8.5 are affected. The flaw stems from the ConceptReferenceRangeUtility.evaluateCriteria() method, which unsafely executes database-stored criteria strings as Apache Velocity templates without proper sandboxing.

This misconfiguration allows attackers to inject malicious Velocity template expressions into a concept’s reference range criteria field. A user with the Manage Concepts privilege can store this payload. Once stored, the malicious code executes automatically whenever a user or API call attempts to validate an observation against the affected concept. The Velocity context exposes sensitive objects like $patient (Person/Patient object), $obs (Obs object), and $fn (ConceptReferenceRangeUtility instance with full access to the OpenMRS service layer), enabling unrestricted Java reflection and full system compromise. The National Vulnerability Database assigns this a CVSS score of 9.1 (CRITICAL).

OpenMRS has addressed this vulnerability in versions 2.7.9 and 2.8.6. Organizations leveraging OpenMRS Core must prioritize patching to these versions immediately. Given the access to patient data and the broader service layer, the impact of exploitation is severe, ranging from data exfiltration to complete system takeover. Attackers will undoubtedly target this due to the high privilege access and data exposure it provides within healthcare environments.

What This Means For You

  • If your organization uses OpenMRS Core, prioritize patching to versions 2.7.9 or 2.8.6 immediately to mitigate CVE-2026-41258. Audit user accounts with `Manage Concepts` privileges for any suspicious activity or template modifications, as this is the initial vector for payload injection. The exposure of `$patient` and other critical objects means data integrity and patient privacy are directly at risk.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-41258 - OpenMRS Unrestricted Java Reflection via Velocity Template

Sigma YAML — free preview 
title: CVE-2026-41258 - OpenMRS Unrestricted Java Reflection via Velocity Template
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
  Detects the exploitation of CVE-2026-41258 by looking for POST requests to the Concept Reference Range evaluation endpoint with a Velocity template payload designed to execute a command (e.g., 'whoami'). This targets the specific vulnerability where database-stored criteria strings are evaluated as Apache Velocity templates without proper sandboxing, allowing unrestricted Java reflection.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41258/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/openmrs/admin/concepts/conceptReferenceRange'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'evaluateCriteria'
  selection_payload:
      cs-uri-query|contains:
          - '#set($x = $fn.getClass().forName(\'java.lang.Runtime\').getRuntime().exec(\'whoami\'))'
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41258 RCE OpenMRS Core versions 2.7.0 to before 2.7.9 and 2.8.6
CVE-2026-41258 RCE Vulnerable method: ConceptReferenceRangeUtility.evaluateCriteria()
CVE-2026-41258 RCE Attack vector: Malicious Apache Velocity template expression in concept's reference range criteria field
CVE-2026-41258 RCE Affected component: Apache Velocity templates evaluated without sandbox configuration

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

coreMQTT CVE-2026-8686: DoS via Crafted MQTT v5.0 Packet

CVE-2026-8686 — Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-125
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 1 Sigma

Vvveb CMS Vulnerability (CVE-2026-46408) Allows Cart Hijacking

CVE-2026-46408 — Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 3 IOCs /⚙ 2 Sigma

Vvveb CMS API Token Disclosure (CVE-2026-46407) High Severity

CVE-2026-46407 — Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma