Access Control Flaw in LORIS by Aces Allows Unauthorized File Access
CVE-2026-34985

6.3MEDIUM

Key Information:

Vendor: Aces
Status: Loris
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-34985?

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application used for managing data and projects in neuroimaging research. An issue has been identified where the backend of the media module fails to enforce access controls properly. While the frontend may restrict file access based on user permissions, individuals with knowledge of file names can still retrieve sensitive data if they are using affected versions of LORIS. This vulnerability impacts versions 16.1.0 to before 27.0.3 and 28.0.1, and appropriate security updates have been released in later versions to address this concern.

Affected Version(s)

Loris >= 16.1.0, < 27.0.3 < 16.1.0, 27.0.3

Loris >= 28.0.0, < 28.0.1 < 28.0.0, 28.0.1

References

https://github.com/aces/Loris/security/advisories/GHSA-p4...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34985 Data

JSON