LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application widely used for managing neuroimaging research data and projects. CVE-2026-26984 identifies a path traversal vulnerability (CWE-22) combined with improper file upload handling (CWE-434) in LORIS versions prior to 26.0.5, between 27.0.0 and 27.0.2, and before 28.0.0. The vulnerability allows an authenticated user with sufficient privileges to manipulate file upload paths, enabling the placement of malicious files outside intended directories. This can lead to remote code execution (RCE) if the server permits write operations, as the attacker can upload executable payloads to arbitrary locations. The vulnerability requires no user interaction beyond authentication and appropriate permissions, making it a direct threat to systems where privileged users might be compromised or act maliciously. The vulnerability is mitigated by patching to fixed versions or disabling the media module if it is not in use. The CVSS v3.0 score of 8.7 reflects high impact on confidentiality and integrity, with network attack vector, low attack complexity, and high privileges required. No public exploits have been reported yet, but the potential for RCE makes this a critical issue for affected deployments.

The primary impact of CVE-2026-26984 is the potential for attackers to achieve remote code execution on servers running vulnerable versions of LORIS. This can lead to full compromise of the affected system, unauthorized access to sensitive neuroimaging research data, and disruption of research operations. Confidentiality is severely impacted as attackers can access or exfiltrate sensitive data. Integrity is also compromised since attackers can modify or replace files, potentially injecting malicious code or altering research data. Availability impact is limited unless attackers use RCE to disrupt services. Since exploitation requires authenticated access with sufficient privileges, the risk is elevated in environments where user credentials are weak, reused, or compromised. Organizations relying on LORIS for critical research data management face risks of data breaches, intellectual property theft, and operational downtime. The vulnerability also poses reputational risks and potential regulatory compliance issues related to data protection.

1. Immediately upgrade LORIS installations to versions 26.0.5 or later, 27.0.2 or later, or 28.0.0 or later as applicable to ensure the vulnerability is patched. 2. If upgrading is not immediately feasible, disable the media module to prevent file uploads through the vulnerable component. 3. Enforce strict access controls and least privilege principles to limit the number of users with permissions to upload files or manage media. 4. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise for privileged users. 5. Monitor server file systems for unauthorized file creations or modifications, especially outside expected directories. 6. Conduct regular audits of user privileges and review logs for suspicious activity related to file uploads. 7. Harden server configurations to enforce read-only permissions where possible, limiting the ability to write files and execute code. 8. Employ network segmentation and application-layer firewalls to restrict access to LORIS servers. 9. Educate users with upload privileges about the risks and signs of compromise. 10. Prepare incident response plans specific to potential RCE scenarios involving LORIS.