Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
Published: 2026-04-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file disclosure
Action: Patch
AI Analysis

Impact

LORIS features a document_repository frontend that restricts file access, but its backend endpoint lacks proper permission verification. This flaw allows a user to retrieve files they should not access if the file name is known or guessable, resulting in potential leakage of confidential research data. The weakness aligns with improper authorization checks, exposing user information to unauthorized actors.

Affected Systems

LORIS, a self-hosted web application for neuroimaging research, is affected in versions 21.0.0 through 26.x, prior to 27.0.3, and before 28.0.1. Rolling updates to 27.0.3 or 28.0.1 eliminate the issue.

Risk and Exploitability

The vulnerability scores a CVSS of 6.3, indicating moderate severity. With no EPSS score available, the likelihood of exploitation is uncertain, but the absence from the CISA KEV catalog suggests it has not been publicly exploited as of now. Because the attack requires knowledge of a filename or brute‑forcing filenames, the vector is inferred to be remote via the web interface rather than a local privilege escalation. Once exploited, an attacker could obtain non‑public files, compromising confidentiality of research data.

Generated by OpenCVE AI on April 8, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LORIS installation to version 27.0.3 or 28.0.1, which contain the fix for the backend authorization check.

Generated by OpenCVE AI on April 8, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title LORIS has incorrect access checks in document_repository
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Aces Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:13:29.831Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35165

cve-icon Vulnrichment

Updated: 2026-04-08T20:13:26.347Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:23.300

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:50Z

Weaknesses