Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
Published: 2026-04-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure
Action: Immediate patch
AI Analysis

Impact

A flaw in LORIS’s media module backend allows files that should be inaccessible to be retrieved if the attacker knows the filename, because the backend does not enforce the same access checks that the frontend applies. This delivers a path for unauthorized disclosure of potentially sensitive neuroimaging data, but does not enable code execution, privilege escalation, or denial of service.

Affected Systems

The vulnerability affects the self-hosted LORIS web application, versions from 16.1.0 up to, but not including, 27.0.3 and 28.0.1. The issue is resolved in releases 27.0.3 and 28.0.1 and later. Users running affected versions should consult the vendor for upgrade availability.

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity. Exploitation requires only knowledge of a filename and access to the web interface; no elevated privileges are needed. Because the attack vector is over the web and the vulnerability is publicly known, the likelihood of exploitation is reasonable. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 8, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LORIS to version 27.0.3, 28.0.1, or a later release that includes the fix.

Generated by OpenCVE AI on April 8, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Wed, 08 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title LORIS has incorrect access checks in media module
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Aces Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:22:09.927Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34985

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:23.157

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:51Z

Weaknesses