OHIF Viewers DICOM

Plan PatchCVSS 8.2ICS-CERT ICSMA-26-176-02Jun 25, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The OHIF DICOM Web Viewer Framework is vulnerable to token theft via crafted links. Successful exploitation allows an attacker to steal an authenticated clinician's session token, potentially leading to unauthorized access to patient imaging data and systems. The vulnerability affects custom integration versions of OHIF, particularly those using DicomWebProxyDataSource or DicomJSONDataSource in authenticated deployments. The vendor has released a fix in version 3.12.2.

What this means

What could happen

An attacker could trick a clinician into clicking a malicious link, stealing their authentication token and gaining access to patient data or the ability to modify medical imaging systems. This could lead to unauthorized access to protected health information or tampering with diagnostic workflows.

Who's at risk

Healthcare facilities running OHIF (Open Health Imaging Foundation) Viewers for DICOM medical image viewing, particularly those with custom integrations that proxy DICOM data sources in authenticated environments. This affects radiology departments, imaging centers, and any facility using OHIF to display medical imaging data to authenticated clinicians.

How it could be exploited

An attacker crafts a malicious link and sends it to a clinician via email or social engineering. When the clinician clicks the link while logged into OHIF, the vulnerability allows the attacker's crafted request to steal the authenticated session token. The attacker then uses the stolen token to access patient data or interact with the DICOM imaging system.

Prerequisites

- User must be authenticated in OHIF and click a malicious link - OHIF must be running version 3.12.0 or earlier - Custom integration of OHIF with vulnerable datasources (DicomWebProxyDataSource or DicomJSONDataSource) in authenticated deployment

- Remotely exploitable via social engineering (malicious link) - No authentication required from attacker (targets authenticated user) - User interaction required (user must click link) - High CVSS score (8.2) - Affects access to protected health information

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

OHIF DICOM Web Viewer Framework≤ v3.12.0No fix yet

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGFor authenticated deployments using dicomwebproxy or dicomjson, configure the dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js to restrict which origins can access these proxies

HARDENINGRemove all unused DicomWebProxyDataSource and DicomJSONDataSource configurations from your OHIF configuration file

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade OHIF to version 3.12.2 or later

CVEs (1)

CVE-2026-12473

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8427432a-bae0-4c99-9442-9e637f1d6d41

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.