Is Loris affected by CVE-2026-26985?

A HIGH severity vulnerability (CVE-2026-26985) has been identified in LORIS, our self-hosted neuroimaging research data management system, with no patch currently available.

CVE-2026-26985

HIGH

2026-02-25 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 25, 2026 - 22:16 nvd

HIGH 8.1

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.

Analysis

Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configuration files containing hardcoded database and service credentials. An attacker with valid application access and appropriate permissions can leverage publicly available source code to easily craft requests that expose these sensitive files, potentially enabling lateral movement to backend systems. …

Remediation

Within 24 hours: Inventory all LORIS instances in production and development environments; notify research teams of the vulnerability and potential data exposure risk. Within 7 days: Implement compensating controls (network segmentation, WAF rules, access logging) and engage LORIS vendor for patch timeline and temporary workarounds. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

CVE-2026-26985 vulnerability details – vuln.today

Back

CVE-2026-26985

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-26985

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code