CVE-2026-34985

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mcgill:loris::::::::
	cpe:2.3:a:mcgill:loris:28.0.0:::::::*

History

21 Apr 2026, 20:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mcgill:loris:::::::: cpe:2.3:a:mcgill:loris:28.0.0:::::::*
References	~~() https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw -~~	() https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw - Vendor Advisory
First Time		Mcgill Mcgill loris

08 Apr 2026, 19:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 19:25

Updated : 2026-04-21 20:20

NVD link : CVE-2026-34985

Mitre link : CVE-2026-34985

CVE.ORG link : CVE-2026-34985

JSON object : View

Products Affected

mcgill

loris

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-34985", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-04-08T19:25:23.157", "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "lastModified": "2026-04-21T20:20:00.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F804E5A-C679-411E-AA44-8CDEEC883F11", "versionEndIncluding": "27.0.2", "versionStartIncluding": "16.1.0"}, {"criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}