Open Health Imaging Foundation: High-Severity Vulnerability Identified in OHIF Viewers DICOM

Open Health Imaging Foundation: High-Severity Vulnerability Identified in OHIF Viewers DICOM

High-Severity SSRF Vulnerability in OHIF Viewers DICOM Exposes Clinician Tokens

A high-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-12473) has been discovered in OHIF (Open Health Imaging Foundation) Viewers DICOM, a widely used medical imaging framework. The flaw, rated 8.2 (CVSS v3.1) and 8.3 (CVSS v4.0), could allow attackers to steal an authenticated clinician’s OIDC Bearer token by tricking them into clicking a malicious link.

The vulnerability stems from two default-configured data sources DICOMWebProxy and DICOMJSON which fetch arbitrary URL parameters without proper validation. When exploited, a global authentication service in OHIF injects the clinician’s token into the request, potentially sending it to an attacker-controlled server. Notably, the flaw does not affect DICOMweb data sources.

The issue impacts OHIF DICOM Web Viewer Framework versions prior to 3.12.0. The maintainers released a patch in version 3.12.2 on May 18, 2026, addressing the flaw via commits OHIF/Viewers#5985 (master) and OHIF/Viewers#5978 (release/3.12). Organizations using OHIF with authentication or relying on dicomwebproxy/dicomjson in authenticated deployments are urged to review additional mitigation steps outlined in the CISA security advisory.

Source: https://www.hipaajournal.com/high-severity-vulnerability-identified-in-ohif-viewers-dicom/

Open Medical cybersecurity rating report: https://www.rankiteo.com/company/openmedical

"id": "OPE1782476713",
"linkid": "openmedical",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using OHIF with '
                                              'authentication or relying on '
                                              'dicomwebproxy/dicomjson in '
                                              'authenticated deployments',
                        'industry': 'Healthcare / Medical Imaging',
                        'name': 'OHIF (Open Health Imaging Foundation)',
                        'type': 'Software Framework'}],
 'attack_vector': 'Malicious link (phishing)',
 'data_breach': {'data_exfiltration': 'Possible if exploited',
                 'personally_identifiable_information': 'Potential (if tokens '
                                                        'are used to access '
                                                        'patient data)',
                 'sensitivity_of_data': 'High (clinician authentication '
                                        'credentials)',
                 'type_of_data_compromised': 'Authentication tokens (OIDC '
                                             'Bearer tokens)'},
 'date_publicly_disclosed': '2026-05-18',
 'date_resolved': '2026-05-18',
 'description': 'A high-severity Server-Side Request Forgery (SSRF) '
                'vulnerability (CVE-2026-12473) has been discovered in OHIF '
                '(Open Health Imaging Foundation) Viewers DICOM, a widely used '
                'medical imaging framework. The flaw could allow attackers to '
                'steal an authenticated clinician’s OIDC Bearer token by '
                'tricking them into clicking a malicious link. The '
                'vulnerability stems from two default-configured data sources '
                '(DICOMWebProxy and DICOMJSON) which fetch arbitrary URL '
                'parameters without proper validation. The issue impacts OHIF '
                'DICOM Web Viewer Framework versions prior to 3.12.0.',
 'impact': {'data_compromised': 'OIDC Bearer tokens (clinician authentication '
                                'tokens)',
            'identity_theft_risk': 'High (clinician and patient data access '
                                   'risk)',
            'operational_impact': 'Potential unauthorized access to medical '
                                  'imaging systems',
            'systems_affected': 'OHIF DICOM Web Viewer Framework (versions '
                                'prior to 3.12.0)'},
 'investigation_status': 'Resolved (patch released)',
 'post_incident_analysis': {'corrective_actions': 'Input validation '
                                                  'implemented; patch released '
                                                  '(version 3.12.2)',
                            'root_causes': 'Lack of proper input validation in '
                                           'DICOMWebProxy and DICOMJSON data '
                                           'sources; injection of clinician '
                                           'tokens into arbitrary requests'},
 'recommendations': 'Upgrade to patched version (3.12.2 or later); implement '
                    'input validation for URL parameters; review CISA advisory '
                    'for additional mitigations',
 'references': [{'source': 'CISA Security Advisory'},
                {'source': 'OHIF GitHub Commits',
                 'url': 'https://github.com/OHIF/Viewers/commit/5985 (master), '
                        'https://github.com/OHIF/Viewers/commit/5978 '
                        '(release/3.12)'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA security advisory '
                                                       'issued'},
 'response': {'containment_measures': 'Patch released (version 3.12.2)',
              'remediation_measures': 'Upgrade to OHIF Viewers version 3.12.2 '
                                      'or later; review additional mitigation '
                                      'steps in CISA security advisory'},
 'stakeholder_advisories': 'Organizations using OHIF urged to upgrade and '
                           'review CISA advisory',
 'title': 'High-Severity SSRF Vulnerability in OHIF Viewers DICOM Exposes '
          'Clinician Tokens',
 'type': 'Server-Side Request Forgery (SSRF)',
 'vulnerability_exploited': 'CVE-2026-12473'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.