CVE-2026-26985 (GCVE-0-2026-26985)

Vulnerability from cvelistv5 – Published: 2026-02-25 21:26 – Updated: 2026-02-25 21:39
VLAI?
Title
LORIS vulnerable to path traversal in electrophysiology_browser
Summary
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
aces Loris Affected: >= 24.0.0, < 26.0.5
Affected: >= 27.0.0, < 27.0.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26985",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T21:38:48.956284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T21:39:45.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Loris",
          "vendor": "aces",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 24.0.0, \u003c 26.0.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 27.0.0, \u003c 27.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T21:26:00.201Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aces/Loris/security/advisories/GHSA-g3pp-rqvq-xxhp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aces/Loris/security/advisories/GHSA-g3pp-rqvq-xxhp"
        },
        {
          "name": "https://github.com/aces/Loris/releases/tag/v26.0.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aces/Loris/releases/tag/v26.0.5"
        },
        {
          "name": "https://github.com/aces/Loris/releases/tag/v27.0.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aces/Loris/releases/tag/v27.0.2"
        }
      ],
      "source": {
        "advisory": "GHSA-g3pp-rqvq-xxhp",
        "discovery": "UNKNOWN"
      },
      "title": "LORIS vulnerable to path traversal in electrophysiology_browser"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26985",
    "datePublished": "2026-02-25T21:26:00.201Z",
    "dateReserved": "2026-02-17T01:41:24.606Z",
    "dateUpdated": "2026-02-25T21:39:45.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-26985\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T22:16:24.360\",\"lastModified\":\"2026-02-27T14:06:59.787\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.\"},{\"lang\":\"es\",\"value\":\"LORIS (Sistema Longitudinal de Investigaci\u00f3n y Obtenci\u00f3n de Im\u00e1genes en L\u00ednea) es una aplicaci\u00f3n web autoalojada que proporciona gesti\u00f3n de datos y proyectos para la investigaci\u00f3n en neuroimagen. A partir de la versi\u00f3n 24.0.0 y antes de las versiones 26.0.5, 27.0.2 y 28.0.0, un usuario autenticado con la autorizaci\u00f3n apropiada puede leer archivos de configuraci\u00f3n en el servidor explotando una vulnerabilidad de salto de ruta. Algunos de estos archivos contienen credenciales codificadas. La vulnerabilidad permite a un atacante leer archivos de configuraci\u00f3n que contienen credenciales codificadas. El atacante podr\u00eda entonces autenticarse en la base de datos u otros servicios si esas credenciales se reutilizan. El atacante debe estar autenticado y tener los permisos requeridos. Sin embargo, la vulnerabilidad es f\u00e1cil de explotar y el c\u00f3digo fuente de la aplicaci\u00f3n es p\u00fablico. Este problema est\u00e1 solucionado en LORIS v26.0.5 y v27.0.2 y superiores, y v28.0.0 y superiores. Como soluci\u00f3n alternativa, el electrophysiogy_browser en LORIS puede ser deshabilitado por un administrador usando el gestor de m\u00f3dulos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/aces/Loris/releases/tag/v26.0.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/aces/Loris/releases/tag/v27.0.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/aces/Loris/security/advisories/GHSA-g3pp-rqvq-xxhp\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26985\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-25T21:38:48.956284Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-25T21:39:39.147Z\"}}], \"cna\": {\"title\": \"LORIS vulnerable to path traversal in electrophysiology_browser\", \"source\": {\"advisory\": \"GHSA-g3pp-rqvq-xxhp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"aces\", \"product\": \"Loris\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 24.0.0, \u003c 26.0.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 27.0.0, \u003c 27.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/aces/Loris/security/advisories/GHSA-g3pp-rqvq-xxhp\", \"name\": \"https://github.com/aces/Loris/security/advisories/GHSA-g3pp-rqvq-xxhp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/aces/Loris/releases/tag/v26.0.5\", \"name\": \"https://github.com/aces/Loris/releases/tag/v26.0.5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aces/Loris/releases/tag/v27.0.2\", \"name\": \"https://github.com/aces/Loris/releases/tag/v27.0.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T21:26:00.201Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26985\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-25T21:39:45.355Z\", \"dateReserved\": \"2026-02-17T01:41:24.606Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T21:26:00.201Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.