OHIF Viewers DICOM
View CSAF Summary Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link. The following versions of OHIF Viewers DICOM are affected: OHIF DICOM Web Viewer Framework <=v3.12.0 CVSS Vendor Equipment Vulnerabilities v3 8.2 Open Health Imaging Foundation (OHIF) OHIF Viewers DICOM Server-Side Request Forgery (SSRF) Background Critical Infrastructure Sectors: Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-12473 Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted. View CVE Details Affected Products OHIF Viewers DICOM Vendor: Open Health Imaging Foundation (OHIF) Product Version: Open Health Imaging Foundation (OHIF) OHIF DICOM Web Viewer Framework: <=v3.12.0 Product Status: known_affected Remediations Mitigation The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12). Mitigation Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js. Mitigation Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with. Relevant CWE: CWE-918 Server-Side Request Forgery (SSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.2 HIGH CVSS:3.1/AV:N
CSIRTS triage
- What
- A vulnerability could allow an attacker to steal an authenticated clinician's token.
- Who is affected
- Users of OHIF Viewers DICOM versions up to and including v3.12.0.
- Urgency
- Critical urgency due to the risk of token theft.
- Action
- Update to a version later than v3.12.0.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Viewers DICOM
Get an email when a new Viewers DICOM advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-02
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-124730.23% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 14% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-12473 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from CISA Cybersecurity Advisories
- highCISA Adds Two Known Exploited Vulnerabilities to Catalog2026-07-10
- criticalSchneider Electric PowerChute Serial Shutdown2026-07-09
- criticalOpenPLC v32026-07-09
- criticalSchneider Electric Easergy MiCOM Px40 Series2026-07-09
- highCISA Adds One Known Exploited Vulnerability to Catalog2026-07-07