Compliance Impact

This vulnerability allows unauthorized access to files outside the intended directory, leading to high confidentiality impact due to unauthorized file disclosure.

Such unauthorized disclosure of sensitive or protected data can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.

Because the vulnerability enables attackers to download arbitrary files without authentication, it poses a risk of exposing personal or sensitive information, potentially resulting in regulatory violations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34392 is a path traversal vulnerability in the static file router component of the LORIS software, which is used for neuroimaging research data management.

This vulnerability allows an attacker to access files outside the intended directory by exploiting insufficient validation of user-supplied paths in the static, CSS, and JS endpoints.

The root cause is that the router concatenates directory paths and user input without properly restricting directory traversal, enabling unauthorized download of arbitrary files.

The issue is fixed in versions 27.0.3 and 28.0.1 by verifying that the resolved file path is within the allowed directory and returning a 404 error if it is not.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or confidential files by allowing attackers to download files outside the intended directory.

Since no authentication is required and the attack can be performed remotely with low complexity, it poses a high risk to confidentiality.

However, it does not impact data integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves path traversal in the static file router of LORIS, allowing unauthorized file downloads via static, CSS, and JS endpoints. Detection can focus on monitoring requests to these endpoints for suspicious path traversal patterns such as '../' sequences.

• Use web server or application logs to search for requests containing directory traversal patterns like '../' or encoded equivalents targeting static, css, or js endpoints.
• Example command to search logs for traversal attempts: grep -E '\.\./|%2e%2e/' /path/to/loris/logs/access.log
• Use network monitoring tools or intrusion detection systems (IDS) to alert on HTTP requests with suspicious path traversal payloads targeting LORIS static file routes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade LORIS to a patched version where the vulnerability is fixed.

• Upgrade LORIS to version 27.0.3 or later, or 28.0.1 or later, where the static file router properly validates and restricts file paths.
• If upgrading immediately is not possible, restrict access to the static, css, and js endpoints via network controls or web server configuration to limit exposure.
• Monitor logs for exploitation attempts and respond accordingly.

Useful 0 Not Useful 0