CVE-2026-35403 Overview
CVE-2026-35403 is a Cross-Site Scripting (XSS) vulnerability affecting LORIS (Longitudinal Online Research and Imaging System), a self-hosted web application used for data and project management in neuroimaging research environments. The vulnerability exists in the survey_accounts module and can be exploited when a user provides an invalid visit label. Although the data is properly JSON encoded, the missing Content-Type header causes web browsers to interpret the response payload as HTML, enabling potential XSS attacks if a user is tricked into following a malicious link.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated user sessions, potentially leading to session hijacking, data theft, or unauthorized actions within neuroimaging research systems containing sensitive patient data.
Affected Products
- LORIS versions from 15.10 to before 27.0.3
- LORIS versions 28.0.0 (prior to 28.0.1)
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-35403 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35403
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how the LORIS survey_accounts module handles invalid visit label parameters in HTTP responses.
The core issue stems from a missing HTTP Content-Type header in server responses. When a user submits an invalid visit label, the application returns JSON-encoded data but fails to set the appropriate Content-Type: application/json header. This header omission allows browsers to perform content sniffing and interpret the response as HTML, creating an avenue for XSS payload execution.
The attack requires user interaction, as the victim must be convinced to follow a specially crafted link containing the malicious payload. If successful, the attacker gains the ability to execute arbitrary JavaScript within the victim's browser session, potentially accessing sensitive neuroimaging research data and patient information managed by the LORIS platform.
Root Cause
The root cause is the improper handling of HTTP response headers in the survey_accounts module. While the developers correctly implemented JSON encoding for the response data (a defense-in-depth measure), they failed to explicitly set the Content-Type response header to application/json. Without this header, browsers may fall back to content sniffing behavior, treating the response as HTML and rendering any embedded scripts.
Attack Vector
The attack vector is network-based and requires both user interaction and some level of authentication. An attacker must craft a malicious URL containing an XSS payload within an invalid visit label parameter. The attacker then uses social engineering techniques to convince an authenticated LORIS user to click the malicious link. When the victim's browser receives the improperly typed response, it interprets the payload as HTML, executing the embedded JavaScript in the context of the user's authenticated session.
The vulnerability exploitation flow involves:
- Attacker identifies the vulnerable endpoint in the survey_accounts module
- Attacker crafts a URL with a malicious visit label containing JavaScript payload
- Victim clicks the link while authenticated to LORIS
- Server returns JSON-encoded response without proper Content-Type header
- Browser interprets response as HTML and executes the malicious script
- Attacker gains access to session tokens, cookies, or can perform actions as the victim
For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35403
Indicators of Compromise
- HTTP requests to the survey_accounts module endpoint containing unusual or encoded characters in the visit label parameter
- Access logs showing unexpected parameter values with JavaScript syntax elements (e.g., <script>, onerror=, javascript:)
- User reports of unexpected browser behavior or unauthorized actions after clicking links to LORIS
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing XSS payloads in the visit label parameter
- Monitor HTTP response headers for missing Content-Type declarations, particularly on endpoints returning JSON data
- Deploy browser-based security controls such as Content Security Policy (CSP) headers to mitigate script execution from untrusted sources
- Review web server and application logs for requests to the survey_accounts endpoint with suspicious parameter patterns
Monitoring Recommendations
- Enable detailed logging for the survey_accounts module and related authentication endpoints
- Configure alerting for unusual patterns of access to survey-related URLs, especially from external referrers
- Monitor for session anomalies that may indicate session hijacking following XSS exploitation
- Implement user behavior analytics to detect unauthorized actions performed via compromised sessions
How to Mitigate CVE-2026-35403
Immediate Actions Required
- Upgrade LORIS installations to version 27.0.3 or 28.0.1 immediately
- Review access logs for potential exploitation attempts prior to patching
- Notify users about the vulnerability and advise against clicking untrusted links to the LORIS application
- Consider temporarily restricting access to the survey_accounts module if immediate patching is not possible
Patch Information
This vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1. Organizations running affected versions (15.10 through pre-27.0.3 and version 28.0.0) should prioritize upgrading to the patched releases. The fix ensures that proper Content-Type headers are set on HTTP responses, preventing browsers from interpreting JSON data as HTML.
For complete patch details and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Configure a reverse proxy or WAF to add Content-Type: application/json headers to responses from the survey_accounts module
- Implement strict Content Security Policy (CSP) headers to prevent inline script execution
- Restrict network access to the LORIS application to trusted IP ranges until patching is complete
- Educate users about the risks of clicking untrusted links, especially those containing unusual parameters
# Example: Apache configuration to add Content-Type header
# Add to your LORIS virtual host configuration
<Location "/survey_accounts">
Header set Content-Type "application/json; charset=utf-8"
Header set X-Content-Type-Options "nosniff"
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
