Primary

Context

LORIS Document Repository Incorrect Access Check Vulnerability

Vulnerability

An access control vulnerability has been identified in the LORIS (Longitudinal Online Research and Imaging System) document repository module, affecting versions 21.0.0 prior to 27.0.3 and 28.0.1. While the frontend was properly restricting file access, the backend endpoint failed to verify permissions correctly. This flaw allowed users to potentially download files they should not have access to, provided they knew or could guess the filename.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files within the document repository module.

Remediation

Users can update to LORIS version 27.0.2 or 28.0.1 to address this vulnerability. Alternatively, LORIS projects that are no longer using the document repository can disable the module to remove access to the vulnerable endpoint.

Added: Apr 8, 2026, 7:59 PM

Updated: Apr 8, 2026, 7:59 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.9

remediation

0.0

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.9

remediation

0.0

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LORIS Document Repository Incorrect Access Check Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating