Machine Spirits Logo
All Advisories

OpenMRS Core

Stored Velocity SSTI to RCE via ConceptReferenceRange

The ConceptReferenceRangeUtility.evaluateCriteria() method evaluates database-stored criteria strings as Apache Velocity templates without sandbox configuration. A user with the Manage Concepts privilege can store a malicious template expression that executes whenever an observation is validated against the affected concept.

This advisory contains limited information during coordinated disclosure. Please check back later for full details.

Authored byChiara Fliegner, Volker Schönefeld, Simon Weber2026-05-04
SeverityCriticalCVSS 9.1CVSS 3.1 VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCWECWE-94 (Improper Control of Generation of Code (Code Injection))ProductOpenMRS CoreAffected Versions2.7.0 through 2.7.8; 2.8.0 through 2.8.5Fixed In2.7.9 and 2.8.6CVECVE-2026-41258GHSAGHSA-xj4f-8jjg-vx4q

Description

A user with the Manage Concepts privilege can store a Velocity template payload in a concept reference range. The payload is evaluated without a secure introspection policy whenever an observation is validated against that concept, and persists in the database across restarts.

Impact

  • Persistent remote code execution as the application server process, triggered automatically on any subsequent observation validation against the affected concept.
  • Privilege escalation from Manage Concepts (a content-management privilege typically held by data entry staff) to arbitrary code execution.
  • Exposure of Protected Health Information through the template context, including patient identifiers, demographics, and clinical observations.

Mitigation

Update OpenMRS Core to 2.7.9 or 2.8.6. Until the update can be deployed, restrict the Manage Concepts privilege to trusted users and audit existing ConceptReferenceRange criteria entries in the database.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services