CVE-2026-34392
Received Received - Intake

Directory Traversal in LORIS Static File Router Allows Data Exposure

Vulnerability report for CVE-2026-34392, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-07-06
AI Q&A
2026-04-08
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mcgill loris 28.0.0
mcgill loris From 20.0.0 (inc) to 27.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-34392 is a path traversal vulnerability in the static file router component of the LORIS software, which is used for neuroimaging research data management.

This vulnerability allows an attacker to access files outside the intended directory by exploiting insufficient validation of user-supplied paths in the static, CSS, and JS endpoints.

The root cause is that the router concatenates directory paths and user input without properly restricting directory traversal, enabling unauthorized download of arbitrary files.

The issue is fixed in versions 27.0.3 and 28.0.1 by verifying that the resolved file path is within the allowed directory and returning a 404 error if it is not.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or confidential files by allowing attackers to download files outside the intended directory.

Since no authentication is required and the attack can be performed remotely with low complexity, it poses a high risk to confidentiality.

However, it does not impact data integrity or availability.

Detection Guidance

This vulnerability involves path traversal in the static file router of LORIS, allowing unauthorized file downloads via static, CSS, and JS endpoints. Detection can focus on monitoring requests to these endpoints for suspicious path traversal patterns such as '../' sequences.

  • Use web server or application logs to search for requests containing directory traversal patterns like '../' or encoded equivalents targeting static, css, or js endpoints.
  • Example command to search logs for traversal attempts: grep -E '\.\./|%2e%2e/' /path/to/loris/logs/access.log
  • Use network monitoring tools or intrusion detection systems (IDS) to alert on HTTP requests with suspicious path traversal payloads targeting LORIS static file routes.
Mitigation Strategies

The primary mitigation is to upgrade LORIS to a patched version where the vulnerability is fixed.

  • Upgrade LORIS to version 27.0.3 or later, or 28.0.1 or later, where the static file router properly validates and restricts file paths.
  • If upgrading immediately is not possible, restrict access to the static, css, and js endpoints via network controls or web server configuration to limit exposure.
  • Monitor logs for exploitation attempts and respond accordingly.
Compliance Impact

This vulnerability allows unauthorized access to files outside the intended directory, leading to high confidentiality impact due to unauthorized file disclosure.

Such unauthorized disclosure of sensitive or protected data can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.

Because the vulnerability enables attackers to download arbitrary files without authentication, it poses a risk of exposing personal or sensitive information, potentially resulting in regulatory violations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart