Critical SSRF in OHIF Viewers DICOM (CVE‑2026‑12473) Enables Clinician Token Theft
What It Is — A server‑side request forgery (SSRF) flaw in the OHIF DICOM Web Viewer Framework (≤ v3.12.0) allows an attacker to supply an arbitrary URL to two default data sources. The viewer automatically appends the authenticated clinician’s OIDC Bearer token to the outbound request, leaking the token to an attacker‑controlled server.
Exploitability — The vulnerability is publicly disclosed, has a CVSS v3.1 base score of 8.2 (High), and a proof‑of‑concept exploit has been demonstrated by CISA. No known widespread exploitation, but the attack path is trivial once a malicious link is delivered to a logged‑in user.
Affected Products — OHIF Viewers DICOM (Open Health Imaging Foundation) — versions ≤ 3.12.0.
Why It Matters for Compliance & Audit Readiness
- SOC 2 Access Controls – Token leakage reveals gaps in credential handling, segregation of duties, and least‑privilege enforcement that SOC 2 CC6.1 (Logical Access) expects to be documented and monitored.
- Continuous Evidence – Detecting anomalous token use and logging outbound requests provides audit‑ready evidence of control effectiveness.
- Defensible Audit Trail – Remediation (patching, configuration hardening) must be captured as evidence of due‑diligence for any third‑party risk assessments or healthcare‑specific compliance (HIPAA, HITRUST).
Recommended Actions
- Upgrade immediately to OHIF Viewers v3.12.2 or later, which removes the insecure default data sources.
- Review and harden the viewer’s configuration: disable unused data sources, enforce strict URL validation, and apply a deny‑list for external domains.
- Restrict OIDC token scope to the minimum required for imaging tasks; rotate tokens regularly.
- Enable detailed logging of outbound HTTP requests and token usage; integrate logs with a SIEM for continuous monitoring.
- Update SOC 2 access‑control policies and evidence collection procedures to reflect the new configuration and token‑handling controls.
Source: CISA Advisory – ICSMA‑26‑176‑02