Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1.
Published: 2026-04-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Update
AI Analysis

Impact

A flaw in the login process of LORIS allows the redirect parameter to be set to any URL without verification, enabling an attacker to redirect users to malicious sites. This can lead to phishing or credential harvesting but does not directly grant code execution or data exfiltration. The weakness corresponds to an open redirect vulnerability (CWE-601).

Affected Systems

The vulnerability affects the LORIS web application owned by aces. Versions earlier than 27.0.3 and 28.0.1 are impacted; the issue was fixed in those releases.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate impact. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely web-based, requiring an attacker to supply a crafted login URL with a redirect parameter targeting the victim's browser.

Generated by OpenCVE AI on April 9, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LORIS to version 27.0.3 or later
  • Upgrade LORIS to version 28.0.1 or later
  • If upgrades are not immediately possible, remove or encode the redirect parameter in login URLs to prevent arbitrary redirection
  • Monitor application logs for unexpected redirect attempts and block suspicious traffic

Generated by OpenCVE AI on April 9, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Mcgill
Mcgill loris
CPEs cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*
cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*
Vendors & Products Mcgill
Mcgill loris

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Thu, 09 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title LORIS has an open redirect field on login
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Aces Loris
Mcgill Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:07:40.047Z

Reserved: 2026-04-08T00:01:47.628Z

Link: CVE-2026-39985

cve-icon Vulnrichment

Updated: 2026-04-10T14:07:36.189Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T18:17:02.653

Modified: 2026-04-22T00:24:34.970

Link: CVE-2026-39985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:00Z

Weaknesses