CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-12473

criticalCVSS 8.2covered by 2 sourcesfirst seen 2026-06-25
View CSAF Summary Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link. The following versions of OHIF Viewers DICOM are affected: OHIF DICOM Web Viewer Framework <=v3.12.0 CVSS Vendor Equipment Vulnerabilities v3 8.2 Open Health Imaging Foundation (OHIF) OHIF Viewers DICOM Server-Side Request Forgery (SSRF) Background Critical Infrastructure Sectors: Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-12473 Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted. View CVE Details Affected Products OHIF Viewers DICOM Vendor: Open Health Imaging Foundation (OHIF) Product Version: Open Health Imaging Foundation (OHIF) OHIF DICOM Web Viewer Framework: <=v3.12.0 Product Status: known_affected Remediations Mitigation The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12). Mitigation Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js. Mitigation Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with. Relevant CWE: CWE-918 Server-Side Request Forgery (SSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.2 HIGH CVSS:3.1/AV:N

CSIRTS triage

What
A vulnerability could allow an attacker to steal an authenticated clinician's token.
Who is affected
Users of OHIF Viewers DICOM versions up to and including v3.12.0.
Urgency
Critical urgency due to the risk of token theft.
Action
Update to a version later than v3.12.0.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-12473

Get an email if CVE-2026-12473 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-12473

CVE.org record

Embed the live status

CVE-2026-12473 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-12473 status](https://www.csirts.com/badge/CVE-2026-12473)](https://www.csirts.com/cve/CVE-2026-12473)