CVE-2026-26985: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aces Loris
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.
AI Analysis
Technical Summary
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application widely used for managing neuroimaging research data and projects. CVE-2026-26985 is a path traversal vulnerability classified under CWE-22 that affects LORIS versions starting from 24.0.0 up to versions prior to 26.0.5 and 27.0.2. This vulnerability allows an authenticated user with the necessary authorization to manipulate file path inputs to access restricted directories on the server. Specifically, the attacker can read configuration files that are not intended to be exposed, some of which contain hard-coded credentials for databases or other internal services. The presence of these credentials in configuration files significantly elevates the risk, as an attacker could leverage them to authenticate to backend systems, potentially leading to unauthorized data access or further system compromise. The vulnerability is easy to exploit due to the publicly available source code of LORIS, which allows attackers to understand the application’s file handling mechanisms and craft malicious requests. Exploitation requires authentication and appropriate permissions but does not require user interaction, making it a direct threat once access is gained. The vulnerability has been addressed in LORIS versions 26.0.5, 27.0.2, and 28.0.0 and later. Until patching, administrators can mitigate risk by disabling the electrophysiogy_browser module, which is the vulnerable component, via the module manager. No active exploitation has been reported in the wild as of the publication date. The CVSS v3.1 score of 8.1 indicates a high-severity issue with network attack vector, low complexity, privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
The primary impact of CVE-2026-26985 is unauthorized disclosure of sensitive configuration files containing hard-coded credentials. This can lead to credential compromise, allowing attackers to authenticate to backend databases or services, potentially resulting in data breaches, unauthorized data manipulation, or lateral movement within the affected environment. For organizations relying on LORIS for neuroimaging research data management, this could mean exposure of sensitive research data, intellectual property, or personally identifiable information (PII) of research subjects. The integrity of research data could also be compromised if attackers leverage stolen credentials to alter data or configurations. Although availability is not directly impacted, the breach of confidentiality and integrity can have severe operational and reputational consequences. Since exploitation requires authentication and specific permissions, the risk is somewhat mitigated by internal access controls; however, insider threats or compromised user accounts could easily exploit this vulnerability. The ease of exploitation and public availability of source code increase the likelihood of exploitation attempts once credentials are obtained or insider access is gained.
Mitigation Recommendations
1. Upgrade LORIS to version 26.0.5, 27.0.2, 28.0.0, or later where the vulnerability is patched. 2. Until patching is possible, disable the electrophysiogy_browser module via the LORIS module manager to block the vulnerable functionality. 3. Review and rotate all hard-coded credentials found in configuration files to unique, strong passwords or preferably replace them with environment variables or secure vault solutions to avoid hard-coding secrets. 4. Implement strict access controls and monitoring on authenticated user accounts, especially those with permissions to access sensitive modules, to detect and prevent misuse. 5. Conduct regular audits of file access logs to identify suspicious attempts to access configuration files or other restricted resources. 6. Employ network segmentation and least privilege principles to limit the impact of compromised credentials. 7. Educate users about the importance of safeguarding credentials and monitoring for unusual activity. 8. Consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting LORIS endpoints.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Australia, Netherlands, Switzerland, Japan, South Korea
CVE-2026-26985: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aces Loris
Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.
AI-Powered Analysis
Technical Analysis
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application widely used for managing neuroimaging research data and projects. CVE-2026-26985 is a path traversal vulnerability classified under CWE-22 that affects LORIS versions starting from 24.0.0 up to versions prior to 26.0.5 and 27.0.2. This vulnerability allows an authenticated user with the necessary authorization to manipulate file path inputs to access restricted directories on the server. Specifically, the attacker can read configuration files that are not intended to be exposed, some of which contain hard-coded credentials for databases or other internal services. The presence of these credentials in configuration files significantly elevates the risk, as an attacker could leverage them to authenticate to backend systems, potentially leading to unauthorized data access or further system compromise. The vulnerability is easy to exploit due to the publicly available source code of LORIS, which allows attackers to understand the application’s file handling mechanisms and craft malicious requests. Exploitation requires authentication and appropriate permissions but does not require user interaction, making it a direct threat once access is gained. The vulnerability has been addressed in LORIS versions 26.0.5, 27.0.2, and 28.0.0 and later. Until patching, administrators can mitigate risk by disabling the electrophysiogy_browser module, which is the vulnerable component, via the module manager. No active exploitation has been reported in the wild as of the publication date. The CVSS v3.1 score of 8.1 indicates a high-severity issue with network attack vector, low complexity, privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
The primary impact of CVE-2026-26985 is unauthorized disclosure of sensitive configuration files containing hard-coded credentials. This can lead to credential compromise, allowing attackers to authenticate to backend databases or services, potentially resulting in data breaches, unauthorized data manipulation, or lateral movement within the affected environment. For organizations relying on LORIS for neuroimaging research data management, this could mean exposure of sensitive research data, intellectual property, or personally identifiable information (PII) of research subjects. The integrity of research data could also be compromised if attackers leverage stolen credentials to alter data or configurations. Although availability is not directly impacted, the breach of confidentiality and integrity can have severe operational and reputational consequences. Since exploitation requires authentication and specific permissions, the risk is somewhat mitigated by internal access controls; however, insider threats or compromised user accounts could easily exploit this vulnerability. The ease of exploitation and public availability of source code increase the likelihood of exploitation attempts once credentials are obtained or insider access is gained.
Mitigation Recommendations
1. Upgrade LORIS to version 26.0.5, 27.0.2, 28.0.0, or later where the vulnerability is patched. 2. Until patching is possible, disable the electrophysiogy_browser module via the LORIS module manager to block the vulnerable functionality. 3. Review and rotate all hard-coded credentials found in configuration files to unique, strong passwords or preferably replace them with environment variables or secure vault solutions to avoid hard-coding secrets. 4. Implement strict access controls and monitoring on authenticated user accounts, especially those with permissions to access sensitive modules, to detect and prevent misuse. 5. Conduct regular audits of file access logs to identify suspicious attempts to access configuration files or other restricted resources. 6. Employ network segmentation and least privilege principles to limit the impact of compromised credentials. 7. Educate users about the importance of safeguarding credentials and monitoring for unusual activity. 8. Consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting LORIS endpoints.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-17T01:41:24.606Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f7012b7ef31ef0b5b7bc9
Added to database: 2/25/2026, 9:56:34 PM
Last enriched: 2/25/2026, 10:10:49 PM
Last updated: 2/25/2026, 11:32:39 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27933: CWE-613: Insufficient Session Expiration in manyfold3d manyfold
MediumCVE-2026-27635: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in manyfold3d manyfold
HighCVE-2026-27633: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb
HighCVE-2026-27630: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb
HighCVE-2026-3209: Improper Access Controls in fosrl Pangolin
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.