Executive Summary

CVE-2026-35446 is a high-severity path traversal vulnerability in the LORIS software versions from 24.0.0 up to 27.0.2 and 28.0.0. It arises from an incorrect order of operations in the FilesDownloadHandler component, where URL decoding was performed after resolving the file path. This flaw allows an attacker to escape the intended download directories and access unauthorized files or directories.

The vulnerability affects multiple LORIS modules including data_release, document_repository, electrophysiology_browser, electrophysiology_uploader, genomic_browser, media, mri_violations, and publication. The root cause is improper handling of file path decoding and resolution, which can be exploited to traverse directories and access files outside the allowed scope.

The issue was fixed in LORIS versions 27.0.3 and 28.0.1 by changing the code to first URL decode the filename and then resolve the path, ensuring proper sanitization and preventing directory traversal.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with low privileges to remotely access unauthorized files or directories on the server running LORIS. Because the attacker can escape the intended download directories, sensitive or confidential data stored outside those directories could be exposed.

The CVSS score indicates a high impact on confidentiality, meaning unauthorized data access is possible. However, the vulnerability does not affect data integrity or availability.

Such unauthorized access could lead to data leaks, exposure of sensitive research data, or other confidential information managed by LORIS, potentially harming the organization’s privacy and security posture.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an incorrect order of operations in the FilesDownloadHandler component of LORIS, allowing path traversal to escape intended download directories.

To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the affected LORIS modules (such as data_release, document_repository, electrophysiology_browser, electrophysiology_uploader, genomic_browser, media, mri_violations, and publication) for suspicious file download requests containing path traversal patterns like '../' or URL-encoded equivalents.

• Use web server access logs to search for requests with suspicious path traversal sequences, for example:
• grep -E "(\.\./|%2e%2e/)" /var/log/apache2/access.log
• or for Nginx:
• grep -E "(\.\./|%2e%2e/)" /var/log/nginx/access.log
• Monitor application logs for unexpected file access or errors related to file downloads.
• Use network monitoring tools to detect unusual HTTP GET requests targeting download endpoints with encoded traversal sequences.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade LORIS to a fixed version, specifically version 27.0.3 or 28.0.1, where the vulnerability has been patched.

If upgrading immediately is not possible, you can apply the patch manually as described in the advisory to correct the order of operations in the FilesDownloadHandler.

Alternatively, disabling all affected modules (such as data_release, document_repository, electrophysiology_browser, electrophysiology_uploader, genomic_browser, media, mri_violations, and publication) can serve as a temporary workaround to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to escape intended download directories and access unauthorized files or directories, leading to a high confidentiality impact.

Such unauthorized access to sensitive data could result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls on access to personal and health-related information.

Useful 0 Not Useful 0