CVE-2026-35165
Insecure Direct Object Reference in LORIS Document Repository
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcgill | loris | 28.0.0 |
| mcgill | loris | From 21.0.0 (inc) to 27.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35165 is an authorization bypass vulnerability in the document_repository package of the LORIS web application versions 21.0.0 through 28.0.0.
While the frontend restricts file access, the backend endpoint does not properly verify user permissions before allowing file downloads.
This flaw allows a user to potentially download files they are not authorized to access if they know or can guess (brute force) the filename.
The vulnerability was fixed by adding backend checks that verify if the user has permission to access the requested file's associated site, returning a 'Forbidden' response if not.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive files by allowing users to download files they should not have access to.
Since the attack requires only low privileges and no user interaction, an attacker with network access could exploit this to access confidential data.
The impact affects confidentiality, integrity, and availability at a low level, but unauthorized data access could still have serious consequences depending on the data involved.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized file downloads by exploiting insufficient backend authorization checks in the document_repository module of LORIS. Detection can focus on monitoring access attempts to the backend file download endpoint, especially requests that include filenames that users should not have access to.
To detect potential exploitation, you can analyze web server logs for unusual or repeated GET requests to the document_repository backend endpoint with filenames that do not correspond to the requesting user's permissions.
Suggested commands include using tools like grep or curl to identify suspicious access patterns:
- Use grep to find GET requests to the document_repository endpoint in your web server logs: grep 'GET /document_repository/' /var/log/apache2/access.log
- Use curl to manually test access to specific files by attempting to download files with known or guessed filenames: curl -i -X GET 'https://your-loris-instance/document_repository/filename'
If unauthorized file downloads are possible, the server will respond with the file content instead of a forbidden message.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade LORIS to version 27.0.3 or 28.0.1, where the backend authorization checks have been properly implemented to prevent unauthorized file downloads.
If immediate upgrading is not possible, a workaround is to disable the document_repository module in LORIS projects that no longer require it, effectively removing access to the vulnerable backend endpoint.
Additionally, monitor and restrict access to the document_repository backend endpoint to trusted users only, and consider implementing network-level controls to limit exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized users to download files they should not have access to by bypassing backend authorization checks. Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and health-related information.
Because the vulnerability impacts confidentiality by enabling unauthorized data disclosure, it poses a risk to compliance with standards that mandate protecting sensitive information from unauthorized access.