CVE-2026-26985
Published: 25 February 2026
Summary
CVE-2026-26985 is a high-severity Path Traversal (CWE-22) vulnerability in Mcgill Loris. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploits by validating user-supplied inputs used in file path operations, blocking access to sensitive configuration files.
Enforces approved access control policies to restrict authenticated users from reading unauthorized server configuration files via path traversal.
Minimizes attack surface by disabling unnecessary modules like electrophysiology_browser, eliminating the vulnerable functionality as a workaround.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in authenticated web app context directly enables arbitrary local file reads (T1005) of config files containing hardcoded credentials (T1552.001).
NVD Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can…
more
read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.
Deeper analysisAI
CVE-2026-26985 is a path traversal vulnerability (CWE-22) in LORIS, a self-hosted web application for data and project management in neuroimaging research. The issue affects versions starting from 24.0.0 up to but not including 26.0.5, 27.0.2, and 28.0.0. An authenticated user with appropriate authorization can exploit this flaw to read sensitive configuration files on the server, some of which contain hard-coded credentials. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Exploitation requires an authenticated attacker with the necessary permissions, making it accessible to legitimate users who may have malicious intent. By traversing paths to access configuration files, the attacker can extract hard-coded credentials and potentially authenticate to the database or other services if those credentials are reused elsewhere. The application's public source code and the simplicity of the exploit lower the barrier for abuse.
The vulnerability is addressed in LORIS versions 26.0.5, 27.0.2 and later, and 28.0.0 and later, as detailed in the project's GitHub release notes and security advisory (GHSA-g3pp-rqvq-xxhp). As a workaround, administrators can disable the electrophysiology_browser module using the module manager.
Details
- CWE(s)