Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26984

CVE-2026-26984: LORIS Path Traversal Vulnerability

CVE-2026-26984 is a path traversal flaw in LORIS that allows authenticated users to upload malicious files to arbitrary server locations, potentially leading to remote code execution. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-26984 Overview

CVE-2026-26984 is a path traversal vulnerability in LORIS (Longitudinal Online Research and Imaging System), a self-hosted web application used for data and project management in neuroimaging research. This vulnerability allows authenticated users with sufficient privileges to upload malicious files to arbitrary locations on the server, potentially leading to remote code execution (RCE).

Critical Impact

Authenticated attackers can exploit path traversal to upload malicious files and achieve remote code execution on vulnerable LORIS installations.

Affected Products

  • LORIS versions prior to v26.0.5
  • LORIS versions prior to v27.0.2
  • LORIS versions prior to v28.0.0

Discovery Timeline

  • 2026-02-25 - CVE-2026-26984 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-26984

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The flaw exists in LORIS's media module file upload functionality, where insufficient validation of user-supplied file paths allows attackers to escape the intended upload directory.

An authenticated attacker with appropriate permissions can manipulate file path parameters during the upload process to traverse the directory structure using sequences like ../. This enables writing files to arbitrary locations on the server's filesystem. Once a malicious file (such as a PHP web shell) is placed in a web-accessible directory, the attacker can execute it to achieve remote code execution.

The vulnerability requires authentication and specific permissions, which limits the attack surface. However, in environments where multiple users have upload privileges or where account compromise has occurred, this represents a significant risk. Notably, if the LORIS server is configured with a read-only filesystem, RCE is not possible, though the malicious file upload attempt may still succeed.

Root Cause

The root cause of CVE-2026-26984 is inadequate input validation and sanitization of file path parameters within the media module. The application fails to properly neutralize special path elements (such as .. sequences) before using them to construct file paths for upload operations. This allows attackers to break out of the intended upload directory and write files to arbitrary locations on the server.

Attack Vector

The attack is network-based and requires an authenticated session with sufficient privileges to access the media module's upload functionality. The attacker submits a crafted file upload request containing path traversal sequences in the filename or path parameter. When the server processes this request, it constructs the destination path using the unsanitized input, allowing the file to be written outside the intended directory.

The exploitation flow typically involves:

  1. Authenticating to LORIS with an account that has media upload permissions
  2. Intercepting or crafting a file upload request to the media module
  3. Injecting path traversal sequences (e.g., ../../) into the file path parameter
  4. Uploading a malicious payload (such as a PHP web shell) to a web-accessible directory
  5. Accessing the uploaded file via HTTP to trigger code execution

For detailed technical information, refer to the GitHub Security Advisory GHSA-mpgc-c48m-6v2h.

Detection Methods for CVE-2026-26984

Indicators of Compromise

  • Unexpected files appearing in web-accessible directories outside the designated media upload folder
  • Web server access logs showing requests to unusual file paths containing .php or other executable extensions
  • File upload requests containing ../ or encoded path traversal sequences in request parameters
  • Newly created executable files in locations like /var/www/html/ or similar web roots

Detection Strategies

  • Monitor web application logs for file upload requests containing path traversal patterns such as ../, ..%2f, or %2e%2e/
  • Implement file integrity monitoring (FIM) on web-accessible directories to detect unauthorized file creation
  • Review LORIS application logs for anomalous upload activity from accounts with media module permissions
  • Configure web application firewalls (WAF) to block requests containing path traversal sequences

Monitoring Recommendations

  • Enable verbose logging for the LORIS media module to capture all file upload operations
  • Set up alerting for any new executable file creation in web server document roots
  • Monitor for outbound connections from the web server that may indicate post-exploitation activity
  • Regularly audit user permissions to ensure only necessary accounts have media upload capabilities

How to Mitigate CVE-2026-26984

Immediate Actions Required

  • Upgrade LORIS to version v26.0.5, v27.0.2, or v28.0.0 or later immediately
  • Audit existing files in web-accessible directories for any suspicious or unexpected content
  • Review user accounts with media module permissions and revoke unnecessary access
  • Implement network segmentation to limit the impact of potential compromise

Patch Information

The LORIS development team has released patched versions that address this vulnerability. Administrators should upgrade to the following fixed versions:

Review the GitHub Security Advisory GHSA-mpgc-c48m-6v2h for complete details on the vulnerability and remediation.

Workarounds

  • Disable the media module if it is not actively being used in your LORIS deployment
  • Configure the LORIS server filesystem as read-only to prevent file uploads (note: this prevents RCE but the path traversal may still be exploitable)
  • Implement strict web application firewall rules to block requests containing path traversal sequences
  • Restrict network access to the LORIS installation to trusted IP ranges only
bash
# Example: Disable media module in Apache configuration
# Add to your LORIS virtual host configuration to block access to media module
<Location "/media">
    Require all denied
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne