Skip to main content

Loris CVE-2026-35446

| EUVDEUVD-2026-20580 HIGH
Files or Directories Accessible to External Parties (CWE-552)
2026-04-08 GitHub_M
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 21, 2026 - 20:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20580
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:28 nvd
HIGH 7.7

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.

Technical ContextAI

CWE-552 (Files or Directories Accessible to External Parties) manifests through operation-ordering flaw in FilesDownloadHandler class. Authentication requirement (PR:L) indicates low-privileged user exploitation. Cross-scope impact (S:C) suggests access beyond user's assigned research projects. Root cause lies in premature path resolution before security boundary enforcement, enabling classic directory escape sequences.

RemediationAI

Vendor-released patches: upgrade to LORIS 27.0.3 or 28.0.1, which correct the operation sequence in FilesDownloadHandler to validate path boundaries before file access. For version 27.x deployments, apply 27.0.3; for version 28.x, apply 28.0.1. Installations on unsupported 24.x-26.x branches must migrate to supported release train. No effective workaround exists without code modification; file download functionality cannot be safely disabled without breaking core research workflows. Verify patch application by testing directory traversal sequences (../, absolute paths) are rejected post-upgrade. Official security advisory with detailed remediation steps: https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759

Share

CVE-2026-35446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy