CVE-2026-35446 Overview
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. A path traversal vulnerability exists in LORIS versions 24.0.0 to before 27.0.3 and 28.0.1, where an incorrect order of operations in the FilesDownloadHandler could allow an authenticated attacker to escape intended download directories and access sensitive files on the system.
Critical Impact
Authenticated attackers can exploit this path traversal flaw to read arbitrary files outside the intended download directories, potentially exposing sensitive research data, configuration files, and system information.
Affected Products
- LORIS versions 24.0.0 through 27.0.2
- LORIS version 28.0.0
- Self-hosted LORIS instances used for neuroimaging research data management
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-35446 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35446
Vulnerability Analysis
This vulnerability is classified as CWE-552 (Files or Directories Accessible to External Parties), manifesting as a path traversal weakness in the LORIS file download functionality. The flaw resides in the FilesDownloadHandler component, where an incorrect order of operations fails to properly validate and sanitize file path inputs before processing download requests.
The vulnerability requires authentication to exploit, meaning an attacker must have valid credentials to the LORIS system. However, once authenticated, the attacker can manipulate file path parameters to traverse outside the intended download directory structure. This allows access to files anywhere on the system that the web application has read permissions for.
The impact is primarily on confidentiality, as attackers can read sensitive files but cannot modify or delete them through this vulnerability. Given that LORIS manages neuroimaging research data, exposure could include patient data, research results, database credentials, and application configuration files.
Root Cause
The root cause stems from an incorrect sequence of security checks within the FilesDownloadHandler component. The handler fails to properly canonicalize and validate the requested file path before determining whether it falls within the permitted download directories. This allows specially crafted path traversal sequences (such as ../) to bypass the directory restrictions and access files outside the intended scope.
Attack Vector
The attack is network-based and requires low-privilege authentication to the LORIS application. An authenticated user can craft malicious HTTP requests to the file download endpoint, manipulating the file path parameter to include directory traversal sequences. The incorrect order of operations in the handler processes these malicious paths before proper validation occurs, allowing the attacker to escape the download directory sandbox.
The attack requires no user interaction and can be performed remotely against any accessible LORIS instance running vulnerable versions. The scope is changed, meaning the vulnerability in LORIS can impact resources beyond the vulnerable component itself, such as the underlying operating system files.
Detection Methods for CVE-2026-35446
Indicators of Compromise
- HTTP requests to file download endpoints containing path traversal sequences such as ../, ..%2f, or ..%252f
- Download requests attempting to access files outside typical LORIS data directories (e.g., /etc/passwd, configuration files)
- Unusual file access patterns from authenticated user accounts, particularly accessing system files
- Web server logs showing successful downloads of files from unexpected directory paths
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Monitor file access logs for reads of sensitive system files by the web application process
- Review LORIS application logs for unusual file download activity from authenticated users
- Deploy file integrity monitoring on sensitive directories to detect unauthorized access attempts
Monitoring Recommendations
- Enable verbose logging on the LORIS application and web server to capture full request details
- Configure alerts for any file access attempts outside the designated LORIS data directories
- Implement user behavior analytics to identify anomalous download patterns from authenticated accounts
- Regularly audit user accounts and their download activities within the LORIS platform
How to Mitigate CVE-2026-35446
Immediate Actions Required
- Upgrade LORIS immediately to version 27.0.3 or 28.0.1 which contain the security fix
- Review file download logs to identify any potential exploitation attempts prior to patching
- Audit user accounts for any suspicious activity or unauthorized file access
- Restrict network access to LORIS instances until patching is complete
Patch Information
The vulnerability has been fixed in LORIS versions 27.0.3 and 28.0.1. Organizations running LORIS versions 24.0.0 through 27.0.2 should upgrade to 27.0.3, while those running version 28.0.0 should upgrade to 28.0.1. The fix addresses the incorrect order of operations in the FilesDownloadHandler to properly validate file paths before processing download requests.
For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Implement a web application firewall (WAF) with rules to block path traversal sequences in all request parameters
- Restrict file system permissions for the web server user to limit access to only necessary directories
- Deploy network segmentation to limit access to LORIS instances from untrusted networks
- Implement additional authentication controls and audit logging until the patch can be applied
# Example WAF rule to block common path traversal patterns
# Add to web server configuration (Apache/Nginx)
# Block requests containing path traversal sequences
location ~* "\.\." {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
