{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35165", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-08T18:23:34.101Z", "dateUpdated": "2026-04-08T20:13:29.831Z"}, "containers": {"cna": {"title": "LORIS has incorrect access checks in document_repository", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp"}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"version": ">= 21.0.0, < 27.0.3", "status": "affected"}, {"version": ">= 28.0.0, < 28.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:23:34.101Z"}, "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "source": {"advisory": "GHSA-qp6x-qfx7-54wp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T20:13:01.869226Z", "id": "CVE-2026-35165", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T20:13:29.831Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35165", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T20:13:01.869226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T20:13:26.347Z"}}], "cna": {"title": "LORIS has incorrect access checks in document_repository", "source": {"advisory": "GHSA-qp6x-qfx7-54wp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"status": "affected", "version": ">= 21.0.0, < 27.0.3"}, {"status": "affected", "version": ">= 28.0.0, < 28.0.1"}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp", "name": "https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:23:34.101Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35165", "state": "PUBLISHED", "dateUpdated": "2026-04-08T20:13:29.831Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T18:23:34.101Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "matchCriteriaId": "752BF9F7-1E9D-4E71-AAC8-43F3E1533399", "versionEndIncluding": "27.0.2", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "id": "CVE-2026-35165", "lastModified": "2026-04-21T20:18:26.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T19:25:23.300", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[21.0.0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loris", "source": "cna", "vendor": "aces"}, "product": "loris", "vendor": "aces"}], "analysis": {"en": {"generated_at": "2026-04-08T20:37:27.705241+00:00", "value": {"mitigation_remediation": ["Upgrade the LORIS installation to version 27.0.3 or 28.0.1, which contain the fix for the backend authorization check."], "summary": {"action": "Patch", "impact": "Unauthorized file disclosure"}, "threat_synthesis": {"affected_systems": "LORIS, a self-hosted web application for neuroimaging research, is affected in versions 21.0.0 through 26.x, prior to 27.0.3, and before 28.0.1. Rolling updates to 27.0.3 or 28.0.1 eliminate the issue.", "description_and_impact": "LORIS features a document_repository frontend that restricts file access, but its backend endpoint lacks proper permission verification. This flaw allows a user to retrieve files they should not access if the file name is known or guessable, resulting in potential leakage of confidential research data. The weakness aligns with improper authorization checks, exposing user information to unauthorized actors.", "risk_and_exploitability": "The vulnerability scores a CVSS of 6.3, indicating moderate severity. With no EPSS score available, the likelihood of exploitation is uncertain, but the absence from the CISA KEV catalog suggests it has not been publicly exploited as of now. Because the attack requires knowledge of a filename or brute\u2011forcing filenames, the vector is inferred to be remote via the web interface rather than a local privilege escalation. Once exploited, an attacker could obtain non\u2011public files, compromising confidentiality of research data."}}}}, "created": "2026-04-09T08:18:28.012526+00:00", "updated": "2026-04-09T08:27:50.399396+00:00", "vendors": ["aces", "aces$PRODUCT$loris"]}