Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated users to bypass backend access controls in the media module and access files they should not have permission to view, provided they know the filename. The vulnerability stems from missing server-side authorization checks that should prevent unauthorized file access, enabling confidentiality and integrity compromise of sensitive neuroimaging research data. The issue is fixed in versions 27.0.3 and 28.0.1.
Technical ContextAI
LORIS is a web-based research data management platform commonly deployed in neuroimaging institutions to store and manage imaging datasets and project metadata. The media module handles file storage and retrieval; it implements frontend-only filtering to restrict file visibility based on user permissions. However, the backend HTTP endpoints that serve files do not validate whether the requesting authenticated user has authorization to access the specific file resource, allowing direct requests to known file paths to bypass the intended access control model. This is a classic authorization bypass pattern (CWE-639: Authorization Bypass Through User-Controlled Key) where insufficient server-side validation of user permissions allows an authenticated attacker to access resources belonging to other projects or users. The affected product is identified by CPE cpe:2.3:a:aces:loris:*:*:*:*:*:*:*:* across versions 16.1.0 to 27.0.2 and 28.0.0.
RemediationAI
Vendor-released patches are available: upgrade to LORIS 27.0.3 or later for the 27.x branch, or 28.0.1 or later for the 28.x branch. Administrators should prioritize testing and deploying these patched versions to resolve the backend access control bypass. No workarounds are available that mitigate the vulnerability without patching, since the root cause is missing server-side authorization logic in the backend media module that cannot be compensated by frontend filtering alone. Detailed guidance and patch downloads are provided in the GitHub Security Advisory at https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior t
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated at
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticat
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend end
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated us
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20570