Platform
php
Component
openemr
Fixed in
7.0.5
CVE-2026-24849 describes an Arbitrary File Access vulnerability affecting OpenEMR versions up to 7.0.4. This flaw allows authenticated users to read sensitive files from the server's filesystem, potentially leading to data breaches and unauthorized access. The vulnerability resides in the disposeDocument() method within EtherFaxActions.php. A patch is available in version 7.0.4.
An attacker exploiting this vulnerability can leverage their authenticated user account to read any file accessible by the web server process. This includes configuration files, database credentials, patient records, and other sensitive data. The impact is significant, as it allows for complete exposure of the server's filesystem to a privileged user. Successful exploitation could lead to data exfiltration, system compromise, and regulatory non-compliance, particularly concerning protected health information (PHI). This vulnerability shares similarities with other file access vulnerabilities where improper input validation allows attackers to manipulate file paths.
CVE-2026-24849 was publicly disclosed on 2026-02-25. The vulnerability's criticality (CVSS 10) indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation given authenticated access suggests it is likely to be developed. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade OpenEMR to version 7.0.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file system permissions for the web server user to the absolute minimum required for OpenEMR operation. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious file paths or attempts to access files outside of designated directories. Monitor access logs for unusual file access patterns, particularly requests targeting sensitive file extensions or locations. After upgrading, confirm the fix by attempting to access a known sensitive file via the vulnerable endpoint – access should be denied.
Actualice OpenEMR a la versión 7.0.4 o superior. Esta versión contiene la corrección de seguridad que impide la lectura arbitraria de archivos. Se recomienda realizar una copia de seguridad antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24849 is a critical vulnerability in OpenEMR versions 7.0.4 and earlier, allowing authenticated users to read arbitrary files from the server's filesystem.
You are affected if you are running OpenEMR versions 7.0.4 or earlier. Verify your version and upgrade immediately.
Upgrade OpenEMR to version 7.0.4 or later. Implement temporary workarounds like restricting file system permissions and using a WAF if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's criticality and ease of exploitation suggest it is likely to be targeted.
Refer to the OpenEMR security advisory page for the latest information and updates regarding CVE-2026-24849: [https://openemr.org/security/](https://openemr.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.