Path Traversal Vulnerability in LORIS Web Application by ACES
CVE-2026-26985

8.1HIGH

Key Information:

Vendor

Aces

Status
Loris
Vendor
CVE Published:
25 February 2026

What is CVE-2026-26985?

LORIS (Longitudinal Online Research and Imaging System), a self-hosted web application for neuroimaging research management, contains a path traversal vulnerability that allows an authenticated user with the necessary permissions to read sensitive configuration files on the server. This vulnerability is particularly concerning as some of these files store hard-coded credentials, which can be exploited if reused for database or other service authentication. While the attacker must be authenticated, the ease of exploitation and the public availability of the application’s source code amplifies the risk. This issue has been addressed in LORIS versions 26.0.5, 27.0.2, and 28.0.0, with an administrative workaround available to disable the electrophysiology_browser module.

Affected Version(s)

Loris >= 24.0.0, < 26.0.5 < 24.0.0, 26.0.5

Loris >= 27.0.0, < 27.0.2 < 27.0.0, 27.0.2

References

https://github.com/aces/Loris/security/advisories/GHSA-g3...
x_refsource_CONFIRM
https://github.com/aces/Loris/releases/tag/v26.0.5
x_refsource_MISC
https://github.com/aces/Loris/releases/tag/v27.0.2
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.