CVE-2026-35400 Overview
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data and project management for neuroimaging research. A vulnerability exists in the publication module where an endpoint incorrectly trusts the baseURL parameter submitted in user POST requests rather than using the internal LORIS configuration value. This allows an authenticated attacker with publication module access to forge emails that appear to originate from LORIS but direct recipients to an external domain under the attacker's control.
Critical Impact
Authenticated users with publication module access can exploit this vulnerability to send spoofed emails appearing to come from LORIS, potentially enabling phishing attacks against research team members and collaborators.
Affected Products
- LORIS versions 20.0.0 through 27.0.2
- LORIS versions 28.0.0
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-35400 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35400
Vulnerability Analysis
This vulnerability exists within the publication module of LORIS, where email functionality does not properly validate the source of the baseURL parameter. When processing POST requests, the affected endpoint accepts a user-supplied baseURL value instead of relying on the internally configured LORIS base URL. This design flaw enables an attacker to manipulate the destination URLs embedded in outgoing emails.
The vulnerability requires authentication and specific access to the publication module, limiting the attack surface to authorized users. However, an attacker who has gained legitimate access or compromised a user account with publication module permissions could weaponize this flaw to conduct targeted phishing campaigns. Emails generated through this mechanism would appear legitimate to recipients, as they originate from the actual LORIS installation's email infrastructure.
The CWE-59 (Improper Link Resolution Before File Access) classification indicates the vulnerability relates to improper handling of references, in this case URL references used in email generation.
Root Cause
The root cause is insufficient input validation and improper trust of user-supplied data. The publication module endpoint accepts the baseURL parameter from POST request data without verifying it matches the legitimate LORIS installation URL stored in the application's configuration. The application should be retrieving the baseURL from its internal configuration rather than trusting external input for security-sensitive operations like email generation.
Attack Vector
The attack is network-based and requires an authenticated user with access to the publication module. The attacker would craft a malicious POST request to the vulnerable endpoint, substituting the legitimate baseURL with a domain under their control. When LORIS generates and sends the email, any links within the message would point to the attacker's domain rather than the legitimate LORIS installation. Recipients receiving these emails would see what appears to be official communication from the research platform but would be directed to a malicious site if they click any embedded links.
The attack requires user interaction from the email recipient to click malicious links, and the integrity impact is limited to the spoofed email content without affecting the confidentiality or availability of the LORIS system itself.
Detection Methods for CVE-2026-35400
Indicators of Compromise
- Outbound emails from LORIS containing URLs pointing to unexpected or external domains
- POST requests to publication module endpoints with baseURL parameters that differ from the configured LORIS URL
- User reports of suspicious emails appearing to originate from the LORIS platform
Detection Strategies
- Implement logging and monitoring of POST requests to the publication module, specifically capturing the baseURL parameter values
- Configure email gateway rules to flag or block outgoing emails from LORIS that contain links to domains not on an approved allowlist
- Audit user accounts with publication module access for any unauthorized or compromised credentials
Monitoring Recommendations
- Review web server access logs for unusual POST request patterns targeting the publication module
- Set up alerts for email generation activity that includes non-standard base URLs
- Monitor authentication logs for suspicious access patterns to accounts with publication module permissions
How to Mitigate CVE-2026-35400
Immediate Actions Required
- Upgrade LORIS to version 27.0.3 or 28.0.1 immediately
- Audit recent emails sent through the publication module for any signs of URL manipulation
- Review and restrict access to the publication module to only essential users
Patch Information
The vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1. Organizations running versions 20.0.0 through 27.0.2 should upgrade to 27.0.3, while those running version 28.0.0 should upgrade to 28.0.1. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Restrict publication module access to a minimum number of trusted users until patching is complete
- Implement network-level controls to limit which domains can be referenced in outgoing emails from the LORIS server
- Consider temporarily disabling the publication module email functionality if it is not critical to operations
# Review current LORIS version
cat /path/to/loris/VERSION
# After upgrading, verify the new version is installed
cat /path/to/loris/VERSION
# Expected output: 27.0.3 or 28.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
