CVE-2026-35446
Directory Traversal in LORIS FilesDownloadHandler Allows Data Access Escape
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcgill | loris | 28.0.0 |
| mcgill | loris | From 24.0.0 (inc) to 27.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35446 is a high-severity path traversal vulnerability in the LORIS software versions from 24.0.0 up to 27.0.2 and 28.0.0. It arises from an incorrect order of operations in the FilesDownloadHandler component, where URL decoding was performed after resolving the file path. This flaw allows an attacker to escape the intended download directories and access unauthorized files or directories.
The vulnerability affects multiple LORIS modules including data_release, document_repository, electrophysiology_browser, electrophysiology_uploader, genomic_browser, media, mri_violations, and publication. The root cause is improper handling of file path decoding and resolution, which can be exploited to traverse directories and access files outside the allowed scope.
The issue was fixed in LORIS versions 27.0.3 and 28.0.1 by changing the code to first URL decode the filename and then resolve the path, ensuring proper sanitization and preventing directory traversal.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to escape intended download directories and access unauthorized files or directories, leading to a high confidentiality impact.
Such unauthorized access to sensitive data could result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls on access to personal and health-related information.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges to remotely access unauthorized files or directories on the server running LORIS. Because the attacker can escape the intended download directories, sensitive or confidential data stored outside those directories could be exposed.
The CVSS score indicates a high impact on confidentiality, meaning unauthorized data access is possible. However, the vulnerability does not affect data integrity or availability.
Such unauthorized access could lead to data leaks, exposure of sensitive research data, or other confidential information managed by LORIS, potentially harming the organizationβs privacy and security posture.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an incorrect order of operations in the FilesDownloadHandler component of LORIS, allowing path traversal to escape intended download directories.
To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the affected LORIS modules (such as data_release, document_repository, electrophysiology_browser, electrophysiology_uploader, genomic_browser, media, mri_violations, and publication) for suspicious file download requests containing path traversal patterns like '../' or URL-encoded equivalents.
- Use web server access logs to search for requests with suspicious path traversal sequences, for example:
- grep -E "(\.\./|%2e%2e/)" /var/log/apache2/access.log
- or for Nginx:
- grep -E "(\.\./|%2e%2e/)" /var/log/nginx/access.log
- Monitor application logs for unexpected file access or errors related to file downloads.
- Use network monitoring tools to detect unusual HTTP GET requests targeting download endpoints with encoded traversal sequences.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade LORIS to a fixed version, specifically version 27.0.3 or 28.0.1, where the vulnerability has been patched.
If upgrading immediately is not possible, you can apply the patch manually as described in the advisory to correct the order of operations in the FilesDownloadHandler.
Alternatively, disabling all affected modules (such as data_release, document_repository, electrophysiology_browser, electrophysiology_uploader, genomic_browser, media, mri_violations, and publication) can serve as a temporary workaround to prevent exploitation.