Authentication Token Exposure in OHIF due to Unvalidated URL Parameters
CVE-2026-12473

8.3HIGH

Key Information:

Vendor: Open Health Imaging Foundation (ohif)
Status: Dicom Web Viewer Framework
Vendor: CVE Published:; 25 June 2026

🔔 Create Open Health Imaging Foundation (ohif) Vulnerability Alert

What is CVE-2026-12473?

A vulnerability exists in the OHIF Viewer involving two data sources: DICOMWebProxy and DICOMJSON. These components are shipped in a default configuration that improperly fetches URLs without adequate validation. This flaw can lead to the unintentional leakage of an authenticated user's OIDC Bearer token into requests directed at attacker-controlled servers. Although the DICOMweb data sources remain unaffected, the exposed tokens pose a significant risk by potentially allowing unauthorized access to sensitive user data.

Affected Version(s)

DICOM Web Viewer Framework 0

References

https://www.cisa.gov/news-events/ics-advisories/icsma-26-...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Simon Weber and Volker Schönefeld of Machine Spirits UG reported this vulnerability to CISA.

CVE-2026-12473 Data

JSON