Platform
php
Component
loris-platform
Fixed in
16.1.1
28.0.1
CVE-2026-34985 describes a file access vulnerability within LORIS, a self-hosted web application for neuroimaging research. This flaw allows unauthorized users to potentially retrieve files if they possess knowledge of the file's name, bypassing intended access restrictions. The vulnerability impacts LORIS versions 16.1.0 through 28.0.0 (excluding 28.0.1) and has been resolved in versions 27.0.3 and 28.0.1.
The core of this vulnerability lies in a discrepancy between the frontend and backend of LORIS's media module. While the frontend implements filtering to restrict user access to files, the backend lacks corresponding access checks. Consequently, an attacker who knows the filename of a restricted file can bypass these frontend protections and directly access the file. The potential impact includes unauthorized access to sensitive research data, potentially compromising the confidentiality of neuroimaging studies. While the vulnerability requires knowledge of the filename, the ease of obtaining this information depends on the specific LORIS deployment and file naming conventions.
This vulnerability was publicly disclosed on 2026-04-08. Currently, there are no reports of active exploitation or KEV listing. No public proof-of-concept (PoC) code has been released. The CVSS score of 6.3 (Medium) indicates a moderate level of potential risk, warranting prompt remediation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34985 is to upgrade LORIS to version 27.0.3 or 28.0.1, which contain the necessary fixes. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the filename dependency, restricting direct file access via the web server's configuration (e.g., .htaccess for Apache) could provide a limited layer of protection. Thoroughly review file naming conventions to minimize the risk of attackers guessing filenames. After upgrading, verify the fix by attempting to access a file known to be restricted to a user account that should not have access; access should be denied.
Update LORIS to version 27.0.3 or higher, or to version 28.0.1. These versions include fixes to prevent unauthorized access to media files due to access check failures in the backend.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34985 is a medium severity vulnerability in LORIS affecting versions 16.1.0–>= 28.0.0, < 28.0.1. It allows unauthorized file access if the filename is known.
You are affected if you are running LORIS versions 16.1.0 through 28.0.0 (excluding 28.0.1).
Upgrade LORIS to version 27.0.3 or 28.0.1 to resolve the vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
There are currently no reports of active exploitation of CVE-2026-34985.
Refer to the official LORIS security advisory for detailed information and updates: [https://www.loris.nu/security/advisories](https://www.loris.nu/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.