CVE-2026-35446
Published: 08 April 2026
Summary
CVE-2026-35446 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Mcgill Loris. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the directory traversal vulnerability by identifying, reporting, and applying the vendor patches released in LORIS versions 27.0.3 and 28.0.1.
Validates and sanitizes file path inputs to the FilesDownloadHandler, preventing attackers from using traversal sequences like '../' to escape intended directories.
Enforces logical access restrictions in the application to ensure low-privilege users can only access files within authorized download directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in the LORIS web app's download handler directly enables exploitation of a public-facing application (T1190) to read arbitrary sensitive files on the local system (T1005).
NVD Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker…
more
escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.
Deeper analysisAI
CVE-2026-35446 is a directory traversal vulnerability in LORIS, a self-hosted web application for data and project management in neuroimaging research. The issue stems from an incorrect order of operations in the FilesDownloadHandler, affecting versions from 24.0.0 up to but not including 27.0.3 and 28.0.1. This flaw, classified under CWE-552 (Files or Directories Accessible to External Parties), carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its potential for unauthorized data access.
An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By manipulating download requests, they can escape the intended download directories, achieving high-impact confidentiality breaches (C:H) in a scoped manner (S:C), such as reading sensitive files outside the restricted paths, while integrity and availability remain unaffected.
The GitHub security advisory (GHSA-47jj-7xfg-8759) confirms the vulnerability and states it is fixed in LORIS versions 27.0.3 and 28.0.1. Security practitioners should upgrade to these patched releases to mitigate the issue, ensuring all instances of affected versions are updated promptly.
Details
- CWE(s)