Privilege Escalation Leads to RCE in Medplum

Privilege Escalation Leads to RCE in Medplum

Vulnerability Reports
March 6, 2024
Profile Icon

Jason Franscisco

CVE Number


Loginsoft ID



The application “Medplum” is affected by a privilege escalation vulnerability that can lead to the execution of system commands. An attacker with practitioner privileges can elevate their status to a project admin using the ProjectMembership endpoint, enabling them to execute system commands through the bot editor.


CWE-269: Improper Privilege Management

CWE-94: Improper Control of Generation of Code ('Code Injection')

Affected Versions

< v3.0.7


CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H : 8.8(High)

Steps To Reproduce
  1. Create a practitioner with non-admin privileges.
  1. Login as practitioner and navigate to the endpoint `/ProjectMembership.`
  1. Click on the ID of the practitioner and navigate to the edit section.

  1. Scroll to the bottom and enable the admin option. By submitting the request, the practitioner will become project administrator.

  1. On reloading the browser, the changes will be reflected.  

  1. Navigate to Project under the admin section, and then proceed to Bots.

  1. Click on the bot’s name and then open the link associated with the bot’s name.

  1. Navigate to the editor section, input the provided payload, and execute the command. This action will trigger a system command, leading to the creation of a file in the document folder.

const { exec } = require('child_process');
const path = '/home/ubuntu/Documents'; 
const command = 'touch RCE';

exec(command, { cwd: path }); 


Ability to run arbitrary commands on SYSTEM.


Remove the option to change admin status or limit access to the ProjectMembership endpoint. Additionally, add filters in the bot editor to prevent the execution of system commands.



Discovered Date

15 February 2024

Reported Date

19 February 2024

Patched Date

01 March 2024


Saharsh Agrawal

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter