CVE-2026-35446 - Vulnerability Details

- LORIS has a path traversal in FilesDownloadHandler

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

Published: 2026-04-08

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

LORIS’s FilesDownloadHandler processes download requests with an incorrect order of operations, allowing attackers to escape the intended download directories via crafted URLs. The result is the ability to download arbitrary files stored on the web server, potentially exposing sensitive project data, configuration files, or user credentials to any attacker who can access the application. This flaw falls under CWE‑552 and carries a CVSS score of 7.7, indicating high severity and a significant threat to confidentiality.

Affected Systems

The vulnerability affects LORIS 24.0.0, all releases up to before 27.0.3, and 28.0.1. These are self‑hosted instances used for neuroimaging research that provide data and project management. All affected installations may allow unauthorized file download unless upgraded to the patched versions.

Risk and Exploitability

With a CVSS score of 7.7 the risk is high, and because the flaw is exploitable by sending a specially crafted request from any network segment that can reach the application, the attack vector is inferred to be remote over HTTP. No EPSS information is available, but the lack of authentication requirements and the straightforward request pattern suggest a high likelihood of exploitation in exposed environments. The vulnerability is not listed in the CISA KEV catalog, but its potential impact justifies immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aces

Loris

affected

Version	Status	Constraints
`>= 24.0.0, < 27.0.3`	affected	—
`>= 28.0.0, < 28.0.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:mcgill:loris::::::::
	cpe:2.3:a:mcgill:loris:28.0.0:::::::*

No data.

Vendor Product Confidence Versions

Aces

Loris

100%

Version	Status	Scheme	Platform
`[24.0.0,27.0.3)`	affected	semver	—
`[28.0.0,28.0.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Loris to version 27.0.3 or later, which contains the patch for the FilesDownloadHandler.
If an upgrade is not immediately possible, restrict file download functionality by configuring the web server to serve only the intended download directories and deny traversal patterns; alternatively, disable the download endpoint until a patch can be applied.
Add application‑level validation to reject requests containing directory traversal characters such as ".." or absolute paths.
Deploy a web application firewall rule to block path traversal patterns and reduce the attack surface.

Generated by OpenCVE AI on April 8, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mcgill Mcgill loris
CPEs		cpe:2.3:a:mcgill:loris:::::::: cpe:2.3:a:mcgill:loris:28.0.0:::::::*
Vendors & Products		Mcgill Mcgill loris

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aces Aces loris
Vendors & Products		Aces Aces loris

Wed, 08 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title		LORIS has a path traversal in FilesDownloadHandler
Weaknesses		CWE-552
References		https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Aces Loris

Mcgill Loris

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T18:28:30.405Z

Updated: 2026-04-08T20:13:54.835Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35446

Vulnrichment

Updated: 2026-04-08T20:13:49.952Z

NVD

Status : Analyzed

Published: 2026-04-08T19:25:24.217

Modified: 2026-04-21T20:04:43.860

Link: CVE-2026-35446

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:27:46Z

Weaknesses

CWE-552

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object