CVE-2026-12473
View CSAF Summary Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link. The following versions of OHIF Viewers DICOM are affected: OHIF DICOM Web Viewer Framework <=v3.12.0 CVSS Vendor Equipment Vulnerabilities v3 8.2 Open Health Imaging Foundation (OHIF) OHIF Viewers DICOM Server-Side Request Forgery (SSRF) Background Critical Infrastructure Sectors: Healthcare and Public Health Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-12473 Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted. View CVE Details Affected Products OHIF Viewers DICOM Vendor: Open Health Imaging Foundation (OHIF) Product Version: Open Health Imaging Foundation (OHIF) OHIF DICOM Web Viewer Framework: <=v3.12.0 Product Status: known_affected Remediations Mitigation The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12). Mitigation Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js. Mitigation Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with. Relevant CWE: CWE-918 Server-Side Request Forgery (SSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.2 HIGH CVSS:3.1/AV:N
CSIRTS triage
- What
- A vulnerability could allow an attacker to steal an authenticated clinician's token.
- Who is affected
- Users of OHIF Viewers DICOM versions up to and including v3.12.0.
- Urgency
- Critical urgency due to the risk of token theft.
- Action
- Update to a version later than v3.12.0.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-12473
Get an email if CVE-2026-12473 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.23% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 14% of all EPSS-scored CVEs.
Advisory coverage (2)
- highCVE-2026-12473: Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an a…nvd · 2026-06-25
- criticalOHIF Viewers DICOMcisa · 2026-06-25
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-12473)