Executive Summary

CVE-2026-39985 is an open redirect vulnerability in the LORIS web application, which is used for managing neuroimaging research data and projects.

Before versions 27.0.3 and 28.0.1, the login page's redirect parameter did not properly validate whether the URL provided for redirection was within the LORIS domain.

This flaw allowed attackers to craft login URLs with redirect parameters pointing to arbitrary external sites, potentially tricking users into visiting malicious URLs after login.

The vulnerability was fixed by adding validation to ensure that redirection only occurs within the same origin, preventing redirection to external sites.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by allowing attackers to redirect them to malicious external websites after login, potentially leading to phishing attacks or exposure to harmful content.

Since the redirect parameter was not validated, users could be tricked into clicking crafted links that appear legitimate but lead to untrusted sites.

The CVSS score of 4.3 indicates a moderate severity, with low complexity for exploitation and no privileges required, but user interaction is necessary.

The impact on confidentiality is low, with no impact on integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an open redirect issue in the LORIS web application where the login redirect parameter is not properly validated. Detection involves checking if the LORIS instance is running a vulnerable version (prior to 27.0.3 or 28.0.1) and if the login redirect parameter can be manipulated to redirect to external URLs.

To detect this on your system, you can attempt to access the login page with a crafted redirect parameter pointing to an external URL and observe if the application redirects outside its domain.

• Use curl or wget to test the login redirect behavior, for example: curl -I 'https://your-loris-instance/login?redirect=https://malicious.example.com'
• Monitor web server logs for unusual redirect parameters or external URL redirects after login attempts.
• Check the installed LORIS version by querying the application or inspecting the deployment to verify if it is older than 27.0.3 or 28.0.1.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the LORIS application to version 27.0.3 or 28.0.1 or later, where the vulnerability has been fixed.

These versions include validation of the redirect parameter to ensure it only redirects within the same origin, preventing open redirect attacks.

Until the upgrade can be applied, consider monitoring and restricting suspicious redirect parameters and educating users to avoid clicking on untrusted login links.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is an open redirect issue that allows attackers to trick users into visiting arbitrary external URLs by manipulating the redirect parameter on login.

While the vulnerability has a low confidentiality impact and does not directly expose sensitive data, it could potentially be exploited in phishing or social engineering attacks, which may indirectly affect compliance with standards like GDPR or HIPAA that require protection against unauthorized access and user deception.

However, there is no explicit information in the provided context or resources linking this vulnerability directly to non-compliance with GDPR, HIPAA, or other common regulations.

Useful 0 Not Useful 0