CVE-2026-35165 Overview
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data and project management for neuroimaging research. A backend authorization bypass vulnerability exists in the document_repository module affecting versions from 21.0.0 to before 27.0.3 and 28.0.1. While the frontend correctly restricts file access, the backend endpoint fails to properly verify access permissions, allowing authenticated users to download files they should not have access to if they know or can brute force the filename.
Critical Impact
Authenticated users can bypass frontend access controls to download restricted research documents and neuroimaging data by directly accessing backend endpoints with known or guessed filenames.
Affected Products
- LORIS (Longitudinal Online Research and Imaging System) versions 21.0.0 through 27.0.2
- LORIS (Longitudinal Online Research and Imaging System) version 28.0.0
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-35165 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35165
Vulnerability Analysis
This vulnerability represents a classic Insecure Direct Object Reference (IDOR) combined with Broken Access Control (CWE-639: Authorization Bypass Through User-Controlled Key). The security flaw arises from a disconnect between frontend and backend access control implementations in the LORIS document repository module.
The frontend application correctly implements access control checks to restrict which files users can view and download. However, the backend API endpoint that handles actual file retrieval does not perform the same authorization verification. This creates a security gap where an authenticated user can bypass frontend restrictions by directly calling the backend endpoint.
The attack requires the user to know or successfully guess the target filename. Given that research platforms often use predictable naming conventions for documents (such as study IDs, participant numbers, or sequential identifiers), filename brute-forcing becomes a viable attack vector. The vulnerability affects the confidentiality, integrity, and availability of sensitive neuroimaging research data.
Root Cause
The root cause is an inconsistent authorization model where access control enforcement exists only at the presentation layer (frontend) but not at the data access layer (backend). This violates the security principle of defense in depth and represents improper access control implementation. The backend endpoint trusts that all incoming requests have already been validated by the frontend, which is an unsafe assumption when direct API access is possible.
Attack Vector
The attack requires network access and low-privilege authentication to the LORIS platform. An attacker with valid credentials can:
- Authenticate to the LORIS application with any valid user account
- Identify or enumerate filenames in the document repository (through observation, pattern analysis, or brute force)
- Directly request files from the backend endpoint, bypassing frontend access checks
- Download documents they would normally be restricted from accessing
The vulnerability allows unauthorized data access through direct object reference manipulation. An authenticated attacker can enumerate filenames using predictable patterns common in research environments (e.g., subject IDs, study codes, date-based naming). By crafting direct requests to the backend document retrieval endpoint with these filenames, the attacker bypasses the frontend's access restrictions. This could expose sensitive neuroimaging research data, participant information, or confidential study documents. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35165
Indicators of Compromise
- Unusual volume of file download requests from a single user account
- Sequential or pattern-based filename requests indicating enumeration attempts
- Access to document repository files outside of normal user workflow patterns
- Backend API requests that bypass the standard frontend application flow
Detection Strategies
- Monitor backend API endpoints for direct access patterns that skip frontend interaction
- Implement logging for all file access requests with user context and compare against authorized access lists
- Alert on high-frequency file download requests or requests with sequential filename patterns
- Review web server access logs for direct requests to document repository backend endpoints
Monitoring Recommendations
- Enable detailed audit logging for all document repository access events
- Configure alerts for file access requests that exceed normal user behavior baselines
- Monitor for automated or scripted access patterns to backend file retrieval endpoints
- Implement anomaly detection for filename enumeration patterns
How to Mitigate CVE-2026-35165
Immediate Actions Required
- Upgrade LORIS to version 27.0.3 or 28.0.1 immediately
- Review access logs for the document repository to identify potential unauthorized access
- Audit document repository contents for sensitive data exposure
- Consider restricting network access to LORIS instances while patching is in progress
Patch Information
The vulnerability has been addressed in LORIS versions 27.0.3 and 28.0.1. Organizations running affected versions should update immediately. The fix implements proper backend authorization checks that verify user permissions before allowing file downloads, ensuring consistency between frontend and backend access control enforcement. Patch details are available in the GitHub Security Advisory.
Workarounds
- Implement web application firewall (WAF) rules to restrict direct backend API access
- Add network-level access controls to limit document repository endpoint access to trusted sources
- Enable additional authentication requirements for document downloads
- Conduct a review of document repository file permissions and remove unnecessary sensitive data
# Configuration example - Review LORIS access logs for suspicious activity
grep -E "document_repository" /var/log/apache2/access.log | \
awk '{print $1, $7}' | \
sort | uniq -c | sort -rn | head -20
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
