OHIF Viewer
OIDC Credential Theft via Externally Controlled URL
A configuration shipped in the official OHIF Viewer distribution allows a crafted link to cause an authenticated user's session credentials to be sent to an attacker-controlled server. A single click by a logged-in clinician is sufficient; the attacker needs no credentials of their own. The OHIF maintainers have released a fix in v3.12.2: the affected data sources now validate the URL they fetch against an operator-configured origin allowlist before a request inherits the user's token. Deployments on v3.12.0 or earlier should upgrade to v3.12.2 or later. The maintainers have informed us that a CVE will be published shortly; we will link it here once assigned.
This advisory contains limited information during coordinated disclosure. Please check back later for full details.
Description
We reported this privately to the OHIF maintainers in February 2026. They responded constructively, developed and released a fix, and engaged with us to validate the remediation. We appreciate their responsiveness and the project's work on open medical imaging.
The fix is published in OHIF Viewer v3.12.2. The data sources that load a study from an external URL now apply an origin policy before issuing a request that carries the user's token, so in authenticated deployments only operator-allowlisted origins are fetched and a crafted link can no longer redirect a token-bearing request to an attacker's server. Operators should upgrade to v3.12.2 or later. The maintainers have informed us that a CVE will be published shortly; we will link it here once it is assigned.
Impact
- An attacker who delivers a crafted link to an authenticated OHIF user can cause that user's OIDC bearer token to be transmitted to an attacker-controlled server. The captured token can be replayed against the imaging backend to access the patient studies (PHI) the user is authorised to view. Exploitation requires only a single click by an already-authenticated user and no credentials on the attacker's side.
Mitigation
Upgrade to OHIF Viewer v3.12.2 or later, which applies an origin allowlist before a data source fetches an external URL with the user's token. Deployments on v3.12.0 or earlier remain affected until upgraded.
References
How We Can Help
Who We Are
The security researchers behind this advisory.
Dr. rer. nat. Simon Weber
Senior Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
- gematik Security Hero
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
- gematik Security Hero
Looking for a Penetration Test?
Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.