IM
IronMonkey Threat Research
‹ Back to ICS Advisories

OHIF Viewers DICOM

HIGH
CVSS 8.2
Date 2026-06-25T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2026-12473 8.2 high
Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.

// Remediations (3)

Mitigation: The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fi
The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).
Mitigation: Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson
Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js.
Mitigation: Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSO
Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with.

// References