CVE-2026-34392
Directory Traversal in LORIS Static File Router Allows Data Exposure
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcgill | loris | 28.0.0 |
| mcgill | loris | From 20.0.0 (inc) to 27.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34392 is a path traversal vulnerability in the static file router component of the LORIS software, which is used for neuroimaging research data management.
This vulnerability allows an attacker to access files outside the intended directory by exploiting insufficient validation of user-supplied paths in the static, CSS, and JS endpoints.
The root cause is that the router concatenates directory paths and user input without properly restricting directory traversal, enabling unauthorized download of arbitrary files.
The issue is fixed in versions 27.0.3 and 28.0.1 by verifying that the resolved file path is within the allowed directory and returning a 404 error if it is not.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to files outside the intended directory, leading to high confidentiality impact due to unauthorized file disclosure.
Such unauthorized disclosure of sensitive or protected data can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.
Because the vulnerability enables attackers to download arbitrary files without authentication, it poses a risk of exposing personal or sensitive information, potentially resulting in regulatory violations.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive or confidential files by allowing attackers to download files outside the intended directory.
Since no authentication is required and the attack can be performed remotely with low complexity, it poses a high risk to confidentiality.
However, it does not impact data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal in the static file router of LORIS, allowing unauthorized file downloads via static, CSS, and JS endpoints. Detection can focus on monitoring requests to these endpoints for suspicious path traversal patterns such as '../' sequences.
- Use web server or application logs to search for requests containing directory traversal patterns like '../' or encoded equivalents targeting static, css, or js endpoints.
- Example command to search logs for traversal attempts: grep -E '\.\./|%2e%2e/' /path/to/loris/logs/access.log
- Use network monitoring tools or intrusion detection systems (IDS) to alert on HTTP requests with suspicious path traversal payloads targeting LORIS static file routes.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade LORIS to a patched version where the vulnerability is fixed.
- Upgrade LORIS to version 27.0.3 or later, or 28.0.1 or later, where the static file router properly validates and restricts file paths.
- If upgrading immediately is not possible, restrict access to the static, css, and js endpoints via network controls or web server configuration to limit exposure.
- Monitor logs for exploitation attempts and respond accordingly.