Skip to main content

Loris EUVDEUVD-2026-20570

| CVE-2026-34985 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20570
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:22 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated users to bypass backend access controls in the media module and access files they should not have permission to view, provided they know the filename. The vulnerability stems from missing server-side authorization checks that should prevent unauthorized file access, enabling confidentiality and integrity compromise of sensitive neuroimaging research data. The issue is fixed in versions 27.0.3 and 28.0.1.

Technical ContextAI

LORIS is a web-based research data management platform commonly deployed in neuroimaging institutions to store and manage imaging datasets and project metadata. The media module handles file storage and retrieval; it implements frontend-only filtering to restrict file visibility based on user permissions. However, the backend HTTP endpoints that serve files do not validate whether the requesting authenticated user has authorization to access the specific file resource, allowing direct requests to known file paths to bypass the intended access control model. This is a classic authorization bypass pattern (CWE-639: Authorization Bypass Through User-Controlled Key) where insufficient server-side validation of user permissions allows an authenticated attacker to access resources belonging to other projects or users. The affected product is identified by CPE cpe:2.3:a:aces:loris:*:*:*:*:*:*:*:* across versions 16.1.0 to 27.0.2 and 28.0.0.

RemediationAI

Vendor-released patches are available: upgrade to LORIS 27.0.3 or later for the 27.x branch, or 28.0.1 or later for the 28.x branch. Administrators should prioritize testing and deploying these patched versions to resolve the backend access control bypass. No workarounds are available that mitigate the vulnerability without patching, since the root cause is missing server-side authorization logic in the backend media module that cannot be compensated by frontend filtering alone. Detailed guidance and patch downloads are provided in the GitHub Security Advisory at https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw.

Share

EUVD-2026-20570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy