CVE-2026-26984 – LORIS versions before 26.0.5, 27.0.2, and 28.0.... (How to Fix)

Q: What is the severity of CVE-2026-26984?

CVE-2026-26984 has a CVSS score of 8.8 (HIGH). LORIS versions before 26.0.5, 27.0.2, and 28.0.0 contain a path traversal vulnerability in the media module that allows authenticated users with sufficient privileges to upload malicious files to arbitrary server locations. This can lead to remote code execution if the server is not configured as read-only. Only authenticated users with specific permissions are affected.

📋 TL;DR

LORIS versions before 26.0.5, 27.0.2, and 28.0.0 contain a path traversal vulnerability in the media module that allows authenticated users with sufficient privileges to upload malicious files to arbitrary server locations. This can lead to remote code execution if the server is not configured as read-only. Only authenticated users with specific permissions are affected.

💻 Affected Systems

Products:

LORIS (Longitudinal Online Research and Imaging System)

Versions: All versions before 26.0.5, before 27.0.2, and before 28.0.0

Operating Systems: All platforms running LORIS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with media module upload permissions. Read-only server configuration prevents RCE but not file upload.

📦 What is this software?

Loris by Mcgill

View all CVEs affecting Loris →

Loris by Mcgill

View all CVEs affecting Loris →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker achieves remote code execution, potentially compromising the entire server and sensitive neuroimaging research data.

🟠

Likely Case

Privileged authenticated user uploads malicious file leading to server compromise or data exfiltration.

🟢

If Mitigated

File upload prevented or limited to read-only operations with no code execution.

🌐 Internet-Facing: HIGH if exposed to internet with vulnerable versions and authenticated users.

🏢 Internal Only: MEDIUM to HIGH depending on user privilege management and network segmentation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with specific permissions. Path traversal to arbitrary file upload is straightforward for privileged users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v26.0.5+, v27.0.2+, v28.0.0+

Vendor Advisory: https://github.com/aces/Loris/security/advisories/GHSA-mpgc-c48m-6v2h

Restart Required: Yes

Instructions:

1. Backup your LORIS installation and database. 2. Download the patched version from GitHub releases. 3. Replace the existing installation with the patched version. 4. Restart the web server and LORIS services.

🔧 Temporary Workarounds

Disable Media Module

all

Disable the vulnerable media module if not required for operations.

# Disable via LORIS configuration or remove/rename media module directory

🧯 If You Can't Patch

Implement strict access controls to limit media module permissions to minimal required users.
Configure server as read-only to prevent remote code execution (though file upload may still be possible).

🔍 How to Verify

Check if Vulnerable:

Check LORIS version against affected ranges. Review user permissions for media module access.

Check Version:

# Check LORIS version in web interface or configuration files

Verify Fix Applied:

Confirm installation of v26.0.5+, v27.0.2+, or v28.0.0+. Test media upload functionality with path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns in media module logs
Path traversal attempts in web server logs

Network Indicators:

HTTP POST requests to media upload endpoints with suspicious filenames

SIEM Query:

web_server_logs WHERE (uri CONTAINS '/media/' AND method='POST') AND (filename CONTAINS '../' OR filename CONTAINS '..\\')

📊 Metadata

CVE ID: CVE-2026-26984

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 25, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/aces/Loris/releases/tag/v26.0.5 Product,Release Notes
https://github.com/aces/Loris/releases/tag/v27.0.2 Product,Release Notes
https://github.com/aces/Loris/security/advisories/GHSA-mpgc-c48m-6v2h Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26984, you might also want to check these: