Attack Chain

1. An attacker authenticates to the LORIS web application with valid credentials.
2. The attacker crafts a malicious HTTP request to the FilesDownloadHandler.
3. The crafted request includes a manipulated file path designed to traverse directories outside the intended download directory.
4. The FilesDownloadHandler processes the request with an incorrect order of operations when validating the file path.
5. The application bypasses the intended directory restrictions due to the flawed validation process.
6. The attacker gains access to files and directories outside of the designated download directory.
7. The attacker reads sensitive data, including neuroimaging data, project files, or configuration files.
8. The attacker may exfiltrate sensitive data for malicious purposes, such as espionage or sale on the dark web.

Impact

Successful exploitation of this directory traversal vulnerability (CVE-2026-35446) in LORIS could lead to unauthorized access to sensitive neuroimaging research data. The number of affected organizations is unknown, but any organization using LORIS versions 24.0.0 to before 27.0.3 and 28.0.1 is potentially vulnerable. The impact includes data breaches, intellectual property theft, and potential compromise of patient privacy if patient data is stored within the LORIS system.

Recommendation

• Upgrade LORIS to version 27.0.3 or 28.0.1 to remediate CVE-2026-35446, as indicated in the overview.
• Implement the “Detect LORIS Directory Traversal Attempt” Sigma rule to monitor for suspicious file download requests.
• Review web server access logs for unusual file download patterns or attempts to access files outside the intended download directories using the file_event log source to detect potential exploitation attempts.