This vulnerability, identified as CVE-2026-24849, affects OpenEMR versions prior to 7.0.4. The flaw resides in the Fax/SMS module's EtherFaxActions::disposeDoc() method, which fails to validate the file_path parameter before passing it to the readfile() function. Because the method does not perform an authentication check beyond verifying a valid session, any authenticated user—even those with low privileges like receptionists—can read sensitive files such as database credentials or system configurations.
A critical and destructive aspect of this exploit is that the vulnerable method calls unlink() on the target file immediately after reading it. This means that if the web-server user has the necessary permissions, the file will be deleted from the system. Analysts are cautioned to target root-owned files or locations where the web-server lacks write access to prevent unintended data loss during verification.
Top comments (0)