OHIF Viewer Framework contains two data source components, DicomWebProxyDataSource and DicomJSONDataSource, that accept arbitrary URL parameters without validation. When these components are used, the framework automatically injects the authenticated user's OIDC Bearer token into the outbound request. An attacker can supply a malicious URL as a parameter, causing the framework to fetch that URL and leak the token to an attacker‑controlled server. This Server Side Request Forgery (SSRF) can expose confidential authentication credentials and allow further path traversal or resource access through the injected token. The vulnerability does not directly enable code execution, but it provides a channel for credential theft and potential lateral movement within the client’s environment.

Version 3.12.2 of the OHIF DICOM Web Viewer Framework addresses the SSRF flaw. Deployments running any earlier version are affected, particularly those that include the default DicomWebProxyDataSource or DicomJSONDataSource configurations with authentication enabled. The issue is specific to the OHIF DICOM Web Viewer Framework maintained by the Open Health Imaging Foundation and does not affect other vendors or unrelated products.

The flaw carries a CVSS score of 8.3, indicating a high severity. EPSS data is unavailable, but the lack of limited exploitation context suggests a moderate–high likelihood of attempts. The vulnerability is not currently listed in the CISA KEV catalog, but because an authenticated token is leaked, attack chains can be constructed in environments with allowed remote data sources. The attack vector can be inferred as an SSRF caused by passing a controlled URL to the data source components; an attacker would need to trigger this request, either by modifying the configuration or by submitting a form that includes the malicious URL. Once executed, the attacker receives the bearer token and can authenticate to downstream services with the victim’s privileges.