CVE-2026-34392
Published: 08 April 2026
Summary
CVE-2026-34392 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Mcgill Loris. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes file path inputs to the static file router, preventing directory traversal payloads like ../ sequences from accessing unintended files.
Remediates the specific bug in the static file router by identifying, prioritizing, and applying patches such as those released in LORIS 27.0.3 and 28.0.1.
Deploys boundary protection mechanisms like web application firewalls to monitor and block malicious requests to static, css, and js endpoints exploiting directory traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing web app directly enables T1190 exploitation and facilitates T1005 by allowing remote download of local files like configs and data.
NVD Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse…
more
outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.
Deeper analysisAI
CVE-2026-34392 is a directory traversal vulnerability (CWE-552) in LORIS, a self-hosted web application used for data and project management in neuroimaging research. The issue affects versions from 20.0.0 up to but not including 27.0.3 and 28.0.1, stemming from a bug in the static file router. This flaw enables attackers to access files outside the intended directory by exploiting the static, css, and js endpoints, potentially exposing sensitive data. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and confidentiality impact.
An unauthenticated remote attacker can exploit this vulnerability with low complexity and no user interaction required. By crafting requests to the affected endpoints with traversal payloads (such as ../ sequences), the attacker can download unintended files from the server, including potentially sensitive configuration files, source code, or research data hosted by LORIS instances.
The GitHub security advisory (GHSA-rfj5-58hv-wc5f) confirms the vulnerability was fixed in LORIS versions 27.0.3 and 28.0.1. Security practitioners should upgrade affected installations to these patched releases immediately and review access logs for suspicious requests to static, css, or js endpoints.
Details
- CWE(s)