CVE-2026-12473
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
The vulnerability in OHIF Viewer involves two default data sources (DICOMWebProxy and DICOMJSON) that fetch an arbitrary URL parameter without validation. A global authentication service automatically injects the authenticated user's OIDC Bearer token into requests, sending it to an attacker-controlled server. DICOMweb data sources are not affected.
Risk Assessment
The risk involves leakage of the OIDC Bearer token to an attacker, potentially enabling unauthorized access to systems and medical data.
Recommendation
It is recommended to immediately update OHIF Viewer to a version that fixes this vulnerability and verify the configuration of DICOMWebProxy and DICOMJSON data sources.
Original NVD description (English source)
Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.

