Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35165

CVE-2026-35165: LORIS Information Disclosure Vulnerability

CVE-2026-35165 is an information disclosure vulnerability in LORIS allowing unauthorized file access through backend endpoints. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-35165 Overview

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data and project management for neuroimaging research. A backend authorization bypass vulnerability exists in the document_repository module affecting versions from 21.0.0 to before 27.0.3 and 28.0.1. While the frontend correctly restricts file access, the backend endpoint fails to properly verify access permissions, allowing authenticated users to download files they should not have access to if they know or can brute force the filename.

Critical Impact

Authenticated users can bypass frontend access controls to download restricted research documents and neuroimaging data by directly accessing backend endpoints with known or guessed filenames.

Affected Products

  • LORIS (Longitudinal Online Research and Imaging System) versions 21.0.0 through 27.0.2
  • LORIS (Longitudinal Online Research and Imaging System) version 28.0.0

Discovery Timeline

  • 2026-04-08 - CVE CVE-2026-35165 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-35165

Vulnerability Analysis

This vulnerability represents a classic Insecure Direct Object Reference (IDOR) combined with Broken Access Control (CWE-639: Authorization Bypass Through User-Controlled Key). The security flaw arises from a disconnect between frontend and backend access control implementations in the LORIS document repository module.

The frontend application correctly implements access control checks to restrict which files users can view and download. However, the backend API endpoint that handles actual file retrieval does not perform the same authorization verification. This creates a security gap where an authenticated user can bypass frontend restrictions by directly calling the backend endpoint.

The attack requires the user to know or successfully guess the target filename. Given that research platforms often use predictable naming conventions for documents (such as study IDs, participant numbers, or sequential identifiers), filename brute-forcing becomes a viable attack vector. The vulnerability affects the confidentiality, integrity, and availability of sensitive neuroimaging research data.

Root Cause

The root cause is an inconsistent authorization model where access control enforcement exists only at the presentation layer (frontend) but not at the data access layer (backend). This violates the security principle of defense in depth and represents improper access control implementation. The backend endpoint trusts that all incoming requests have already been validated by the frontend, which is an unsafe assumption when direct API access is possible.

Attack Vector

The attack requires network access and low-privilege authentication to the LORIS platform. An attacker with valid credentials can:

  1. Authenticate to the LORIS application with any valid user account
  2. Identify or enumerate filenames in the document repository (through observation, pattern analysis, or brute force)
  3. Directly request files from the backend endpoint, bypassing frontend access checks
  4. Download documents they would normally be restricted from accessing

The vulnerability allows unauthorized data access through direct object reference manipulation. An authenticated attacker can enumerate filenames using predictable patterns common in research environments (e.g., subject IDs, study codes, date-based naming). By crafting direct requests to the backend document retrieval endpoint with these filenames, the attacker bypasses the frontend's access restrictions. This could expose sensitive neuroimaging research data, participant information, or confidential study documents. For technical implementation details, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-35165

Indicators of Compromise

  • Unusual volume of file download requests from a single user account
  • Sequential or pattern-based filename requests indicating enumeration attempts
  • Access to document repository files outside of normal user workflow patterns
  • Backend API requests that bypass the standard frontend application flow

Detection Strategies

  • Monitor backend API endpoints for direct access patterns that skip frontend interaction
  • Implement logging for all file access requests with user context and compare against authorized access lists
  • Alert on high-frequency file download requests or requests with sequential filename patterns
  • Review web server access logs for direct requests to document repository backend endpoints

Monitoring Recommendations

  • Enable detailed audit logging for all document repository access events
  • Configure alerts for file access requests that exceed normal user behavior baselines
  • Monitor for automated or scripted access patterns to backend file retrieval endpoints
  • Implement anomaly detection for filename enumeration patterns

How to Mitigate CVE-2026-35165

Immediate Actions Required

  • Upgrade LORIS to version 27.0.3 or 28.0.1 immediately
  • Review access logs for the document repository to identify potential unauthorized access
  • Audit document repository contents for sensitive data exposure
  • Consider restricting network access to LORIS instances while patching is in progress

Patch Information

The vulnerability has been addressed in LORIS versions 27.0.3 and 28.0.1. Organizations running affected versions should update immediately. The fix implements proper backend authorization checks that verify user permissions before allowing file downloads, ensuring consistency between frontend and backend access control enforcement. Patch details are available in the GitHub Security Advisory.

Workarounds

  • Implement web application firewall (WAF) rules to restrict direct backend API access
  • Add network-level access controls to limit document repository endpoint access to trusted sources
  • Enable additional authentication requirements for document downloads
  • Conduct a review of document repository file permissions and remove unnecessary sensitive data
bash
# Configuration example - Review LORIS access logs for suspicious activity
grep -E "document_repository" /var/log/apache2/access.log | \
  awk '{print $1, $7}' | \
  sort | uniq -c | sort -rn | head -20

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne