CVE-2026-24849

CRITICAL

OpenEMR < 7.0.4 - Authenticated Path Traversal via EtherFaxActions.php disposeDocument()

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-24849. PoCs published by doany1.

AI-analyzed exploit summary This exploit demonstrates an authenticated arbitrary file read vulnerability in OpenEMR < 7.0.4 via the Fax/SMS module's EtherFaxActions::disposeDoc() method, which passes a user-supplied file_path parameter directly to readfile() without validation. The exploit includes authentication handling and file read functionality, with a warning about the destructive unlink() call post-read.

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, the `disposeDocument()` method in `EtherFaxActions.php` allows authenticated users to read arbitrary files from the server filesystem. Any authenticated user (regardless of privilege level) can exploit this vulnerability to read sensitive files. Version 7.0.4 patches the issue.

Exploits (2)

exploitdb WORKING POC

by doany1 · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52610

View Code ZIP pw:eip

This exploit demonstrates an authenticated arbitrary file read vulnerability in OpenEMR < 7.0.4 via the Fax/SMS module's EtherFaxActions::disposeDoc() method, which passes a user-supplied file_path parameter directly to readfile() without validation. The exploit includes authentication handling and file read functionality, with a warning about the destructive unlink() call post-read.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OpenEMR < 7.0.4

Auth required

Prerequisites: Valid OpenEMR credentials · Fax/SMS module enabled with EtherFax as the provider

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 09, 2026 Full analysis →

github WORKING POC

by doany1 · pythonpoc

https://github.com/doany1/CVE-2026-24849

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-24849, an authenticated arbitrary file read vulnerability in OpenEMR's Fax/SMS module. The exploit demonstrates the vulnerability by reading arbitrary files from the server filesystem as the web-server user.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OpenEMR < 7.0.4

Auth required

Prerequisites: Valid OpenEMR credentials · Fax/SMS module enabled with EtherFax as the provider

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 06, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/openemr/openemr/security/advisories/GHSA-w6vc-hx2x-48pc

Patch x_refsource_misc

https://github.com/openemr/openemr/commit/22f8e53e5769a88b7a16cb223bd197d044c84e5a

View Patch ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0150

EPSS Percentile 70.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

open-emr/openemr < 7.0.4

Published Feb 25, 2026

Tracked Since Feb 25, 2026