Unrestricted Java Reflection Vulnerability in OpenMRS Electronic Medical Record System
CVE-2026-41258

9.1CRITICAL

Key Information:

Vendor: Openmrs
Status: Openmrs-core
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-41258?

OpenMRS, an open-source electronic medical record system, contains a vulnerability that allows users with the Manage Concepts privilege to execute arbitrary code. This occurs through the ConceptReferenceRangeUtility.evaluateCriteria() method, which evaluates database-stored criteria as Apache Velocity templates without any sandbox restrictions. Malicious expressions can be injected into the concept's reference range criteria field. Upon validation of an observation involving the affected concept, these expressions execute, potentially compromising patient data and system integrity. The vulnerability is remediated in versions 2.7.9 and 2.8.6.

Affected Version(s)

openmrs-core >= 2.7.0 < 2.7.9 < 2.7.0 2.7.9

openmrs-core >= 2.8.0 < 2.8.6 < 2.8.0 2.8.6

References

https://github.com/openmrs/openmrs-core/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41258 Data

JSON

Openmrs

What is CVE-2026-41258?

Affected Version(s)

References

CVSS V3.1

Timeline