Platform
php
Component
loris
Fixed in
21.0.1
28.0.1
CVE-2026-35165 is a vulnerability affecting LORIS, a self-hosted web application for neuroimaging research. This flaw allows unauthorized users to potentially download files they lack permission to access, bypassing frontend restrictions. The vulnerability impacts versions 21.0.0 through 28.0.0 (excluding 28.0.1) and has been resolved in versions 27.0.3 and 28.0.1.
The primary impact of CVE-2026-35165 is the potential for unauthorized data exfiltration. An attacker who can determine or brute-force a valid filename within the document repository can download files they are not authorized to view. This could expose sensitive research data, patient information, or proprietary algorithms. While the vulnerability requires knowledge of the filename, the potential for data breach warrants immediate attention. The blast radius is limited to the data stored within the LORIS document repository, and lateral movement is not directly facilitated by this vulnerability.
CVE-2026-35165 was publicly disclosed on April 8, 2026. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available. The vulnerability's reliance on filename knowledge may limit its exploitability, but it remains a significant risk given the potential for data exposure.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35165 is to upgrade LORIS to version 27.0.3 or 28.0.1, which contain the necessary fixes. If an immediate upgrade is not feasible, consider implementing stricter file access controls within the LORIS environment. Review and audit existing permissions to ensure they are correctly configured. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to monitor for unusual file download patterns. There are no specific Sigma or YARA rules available for this vulnerability at this time.
Update LORIS to version 27.0.3 or higher, or to version 28.0.1 or higher. These versions fix the vulnerability by correctly verifying access permissions in the document repository backend, preventing users from downloading files they should not have access to.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35165 is a vulnerability in LORIS allowing unauthorized file downloads due to insufficient access control verification. It affects versions 21.0.0–>= 28.0.0, < 28.0.1 and has a CVSS score of 6.3 (Medium).
You are affected if you are running LORIS versions 21.0.0 through 28.0.0 (excluding 28.0.1). Check your LORIS version and upgrade immediately if vulnerable.
Upgrade LORIS to version 27.0.3 or 28.0.1. These versions include the fix for this unauthorized file download vulnerability.
There is currently no evidence of active exploitation of CVE-2026-35165, but it remains a potential risk.
Refer to the official LORIS security advisory for detailed information and updates regarding CVE-2026-35165.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.