Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.
Published: 2026-04-08
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Remote File Disclosure via Path Traversal
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in LORIS's static file router permits an attacker to request files outside the intended directory. By manipulating the URL to the static, css, and js endpoints, the attacker can traverse the file system and download arbitrary files, exposing sensitive data. This issue is a classic path traversal flaw, identified as CWE‑552, and can lead to confidentiality breaches if the application serves privileged content.

Affected Systems

Affected products include the open‑source LORIS platform by aces. Versions from 20.0.0 up to, but not including, 27.0.3 and up to, but not including, 28.0.1 are vulnerable. The security fix was released in 27.0.3 and 28.0.1. Users running any earlier releases should verify their installed version before applying the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact risk. Although the EPSS score is not available and the vulnerability does not appear in the KEV catalog, the ability to read any file from the server via a public HTTP endpoint suggests that the attack can be performed remotely without authentication. The exploit path is straightforward: crafting a URL that includes path traversal sequences which the router fails to sanitize. Due to the lack of authentication or rate limiting, the exploitation likelihood remains significant, especially in environments where LORIS is exposed to untrusted users.

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the LORIS patch to at least version 27.0.3 or 28.0.1
  • If immediate patching is not possible, disable the static, css, and js endpoints or restrict directory access in the web server configuration
  • Review and sanitize file paths in the application if custom changes are present
  • Monitor web server logs for path traversal attempts and block offending IPs

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title LORIS has a path traversal in static router
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Aces Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T17:57:35.927Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34392

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:21.723

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:43Z

Weaknesses