Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.
Published: 2026-02-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure
Action: Patch Now
AI Analysis

Impact

This vulnerability arises from a path‑traversal flaw in LORIS’s electrophysiology_browser module, permitting an authenticated user with sufficient privileges to read arbitrary configuration files on the server. Some of these files contain hard‑coded credentials that can grant access to the database or other internal services. The primary effect is the disclosure of sensitive data that could be used to compromise additional components and services.

Affected Systems

The issue impacts the LORIS application released by aces. Versions beginning at 24.0.0 and up to, but not including, 26.0.5, 27.0.2, and 28.0.0 are vulnerable. The patched releases are 26.0.5, 27.0.2, and 28.0.0 or later.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, but the EPSS score of less than 1% suggests that exploitation has not been widespread. Because the attacker must be authenticated and possess the appropriate permissions, the flaw is not openly exploitable; however, the straightforward path‑traversal code and publicly available source make it trivial for a determined insider or compromised account to read the files. The vulnerability is not listed in the CISA KEV catalog, indicating no known public exploits yet, yet the risk remains significant if configuration files contain reused credentials. The simplest exploitation chain is: authenticated user → module access → path traversal → arbitrary file read.

Generated by OpenCVE AI on April 18, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LORIS to version 26.0.5 or later (for the 26.0.x branch), or to 27.0.2 or 28.0.0 or newer, to apply the official fix.
  • If an upgrade cannot be performed immediately, disable the electrophysiology_browser module using the module manager to eliminate the vulnerable component.
  • Review and tighten permissions so that only trusted users can access the module, reducing the risk that an authenticated attacker could exploit the path traversal.

Generated by OpenCVE AI on April 18, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mcgill
Mcgill loris
CPEs cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*
Vendors & Products Mcgill
Mcgill loris

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.
Title LORIS vulnerable to path traversal in electrophysiology_browser
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Aces Loris
Mcgill Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:39:45.355Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26985

cve-icon Vulnrichment

Updated: 2026-02-25T21:39:39.147Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:24.360

Modified: 2026-03-05T17:40:35.967

Link: CVE-2026-26985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses