loris
修复版本
21.0.1
28.0.1
CVE-2026-35165 is a vulnerability affecting LORIS, a self-hosted web application for neuroimaging research. This flaw allows unauthorized users to potentially download files they lack permission to access, bypassing frontend restrictions. The vulnerability impacts versions 21.0.0 through 28.0.0 (excluding 28.0.1) and has been resolved in versions 27.0.3 and 28.0.1.
The primary impact of CVE-2026-35165 is the potential for unauthorized data exfiltration. An attacker who can determine or brute-force a valid filename within the document repository can download files they are not authorized to view. This could expose sensitive research data, patient information, or proprietary algorithms. While the vulnerability requires knowledge of the filename, the potential for data breach warrants immediate attention. The blast radius is limited to the data stored within the LORIS document repository, and lateral movement is not directly facilitated by this vulnerability.
CVE-2026-35165 was publicly disclosed on April 8, 2026. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available. The vulnerability's reliance on filename knowledge may limit its exploitability, but it remains a significant risk given the potential for data exposure.
Research institutions and organizations utilizing LORIS for neuroimaging data management are at risk. Specifically, deployments with less stringent file access controls or those running vulnerable versions of LORIS are particularly susceptible. Shared hosting environments where multiple users share the same LORIS instance should be prioritized for patching.
• linux / server: Monitor LORIS application logs for unusual file access attempts or errors related to file permissions. Use journalctl -u loris to filter for relevant events.
• generic web: Monitor web server access logs for requests targeting files within the document repository, particularly those with unusual extensions or patterns. Use grep 'LORISDOCUMENTREPOSITORY' /var/log/apache2/access.log to identify potential exploitation attempts.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-35165 is to upgrade LORIS to version 27.0.3 or 28.0.1, which contain the necessary fixes. If an immediate upgrade is not feasible, consider implementing stricter file access controls within the LORIS environment. Review and audit existing permissions to ensure they are correctly configured. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to monitor for unusual file download patterns. There are no specific Sigma or YARA rules available for this vulnerability at this time.
Actualice LORIS a la versión 27.0.3 o superior, o a la versión 28.0.1 o superior. Estas versiones corrigen la vulnerabilidad al verificar correctamente los permisos de acceso en el backend del repositorio de documentos, evitando que los usuarios descarguen archivos a los que no deberían tener acceso.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35165 is a vulnerability in LORIS allowing unauthorized file downloads due to insufficient access control verification. It affects versions 21.0.0–>= 28.0.0, < 28.0.1 and has a CVSS score of 6.3 (Medium).
You are affected if you are running LORIS versions 21.0.0 through 28.0.0 (excluding 28.0.1). Check your LORIS version and upgrade immediately if vulnerable.
Upgrade LORIS to version 27.0.3 or 28.0.1. These versions include the fix for this unauthorized file download vulnerability.
There is currently no evidence of active exploitation of CVE-2026-35165, but it remains a potential risk.
Refer to the official LORIS security advisory for detailed information and updates regarding CVE-2026-35165.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。