CVE-2026-12473

HIGH NVD

CVSS Score 8.2

Severity HIGH

Published Jun 25, 2026

Vendor unknown

Description

Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-176-02.json
https://www.cisa.gov/news-events/ics-advisories/icsma-26-176-02