CVE-2026-12473
Deferred Deferred - Pending Action

Unauthenticated OIDC Token Leak in OHIF DICOMWebProxy

Vulnerability report for CVE-2026-12473, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: ICS-CERT

Description

Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohif global_authentication_service 3.12.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves two data sources, DICOMWebProxy and DICOMJSON, which in their default configuration fetch an arbitrary URL parameter without validating it. Because of this, a global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into these requests. As a result, the token can be sent to an attacker-controlled server, potentially exposing sensitive authentication credentials.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of the authenticated user's OIDC Bearer token to an attacker-controlled server. This could allow attackers to impersonate the user or gain unauthorized access to protected resources, leading to potential data breaches or unauthorized actions within the affected system.

Compliance Impact

This vulnerability causes the OHIF global authentication service to automatically inject the authenticated user's OIDC Bearer token into requests sent to attacker-controlled servers. This results in unauthorized disclosure of sensitive authentication tokens.

Such unauthorized disclosure of authentication tokens can lead to compromise of user identities and access to protected health information or personal data, which may violate data protection regulations such as GDPR and HIPAA.

Therefore, this vulnerability potentially impacts compliance with standards and regulations that require protection of personal and health data by exposing sensitive authentication credentials to attackers.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade to OHIF version 3.12.2 or later, where the issue has been fixed.

  • Remove unused DicomWebProxyDataSource and DicomJSONDataSource configurations.
  • Minimize network exposure of the affected services.
  • Use VPNs for remote access to reduce risk.
  • Follow CISA's cybersecurity best practices.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart