A vulnerability classified as critical was found in OpenMRS up to 2.7.8/2.8.5 . Impacted is the function WebModuleUtil.startModule of the file /openmrs/ws/rest/v1/module of the component REST Endpoint . Such manipulation leads to path traversal. This vulnerability is listed as CVE-2026-40076 . The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.