CVE-2026-24488

MEDIUM

OpenEMR <=8.0.0 - Arbitrary File Exfiltration

Title source: llm

Description

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax sending endpoint allows any authenticated user to read and transmit any file on the server (including database credentials, patient documents, system files, and source code) via fax to an attacker-controlled phone number. The vulnerability exists because the endpoint accepts arbitrary file paths from user input and streams them to the fax gateway without path restrictions or authorization checks. As of time of publication, no known patched versions are available.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/openemr/openemr/security/advisories/GHSA-765x-8v97-c7g8

Third Party Advisory x_refsource_misc

https://github.com/openemr/openemr/blob/v7_0_4/interface/modules/custom_modules/oe-module-faxsms/src/Controller/EtherFaxActions.php#L177-L221

View Writeup ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

open-emr/openemr < 8.0.0

Published Feb 27, 2026

Tracked Since Feb 28, 2026