Skip to main content

Loris CVE-2026-35165

| EUVDEUVD-2026-20572 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20572
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:23 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend endpoint, allowing authenticated users to bypass frontend restrictions and download files they should not have access to by knowing or brute-forcing filenames. CVSS 6.3 (medium severity) with confirmed patch availability in versions 27.0.3 and 28.0.1. No public exploit code or active exploitation confirmed.

Technical ContextAI

LORIS is a self-hosted neuroimaging research data management web application. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the frontend document_repository interface enforces access controls, but the corresponding backend API endpoint fails to validate whether the authenticated user has permission to access the requested file resource. An attacker with valid user credentials can enumerate or guess filenames and directly request them from the backend, bypassing the frontend's permission checks. The issue affects multiple major versions (21.x through 27.x and 28.0.0) across the aces/loris product line.

RemediationAI

Upgrade LORIS immediately to version 27.0.3 (for users on the 27.x branch) or version 28.0.1 (for users on the 28.x branch). Users on versions 21.0.0 through 27.0.2 should migrate to the latest patched release. No workarounds are documented; patching is the only confirmed fix. Refer to the official security advisory at https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp for detailed upgrade instructions and release notes. After patching, audit document_repository access logs for any suspicious file requests from authenticated users to detect potential prior exploitation.

Share

CVE-2026-35165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy