Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend endpoint, allowing authenticated users to bypass frontend restrictions and download files they should not have access to by knowing or brute-forcing filenames. CVSS 6.3 (medium severity) with confirmed patch availability in versions 27.0.3 and 28.0.1. No public exploit code or active exploitation confirmed.
Technical ContextAI
LORIS is a self-hosted neuroimaging research data management web application. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the frontend document_repository interface enforces access controls, but the corresponding backend API endpoint fails to validate whether the authenticated user has permission to access the requested file resource. An attacker with valid user credentials can enumerate or guess filenames and directly request them from the backend, bypassing the frontend's permission checks. The issue affects multiple major versions (21.x through 27.x and 28.0.0) across the aces/loris product line.
RemediationAI
Upgrade LORIS immediately to version 27.0.3 (for users on the 27.x branch) or version 28.0.1 (for users on the 28.x branch). Users on versions 21.0.0 through 27.0.2 should migrate to the latest patched release. No workarounds are documented; patching is the only confirmed fix. Refer to the official security advisory at https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp for detailed upgrade instructions and release notes. After patching, audit document_repository access logs for any suspicious file requests from authenticated users to detect potential prior exploitation.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior t
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated at
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticat
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated us
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated us
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20572