CISA has issued a medical device security advisory for the Open Health Imaging Foundation (OHIF) DICOM Web Viewer Framework, warning that a server-side request forgery (SSRF) vulnerability tracked as CVE-2026-12473 affects all versions up to and including v3.12.0. The flaw carries a CVSS v3.1 base score of 8.2 (HIGH) and a CVSS v4.0 base score of 8.3 (HIGH).
What Is Vulnerable
Two data source components shipped in the default OHIF configuration, DICOMWebProxy and DICOMJSON, accept an arbitrary URL parameter without performing any validation on it. OHIF’s global authentication service automatically injects the authenticated user’s OIDC Bearer token into outbound requests generated by these data sources. Because the destination URL is attacker-controlled, the token is silently forwarded to the attacker’s server. DICOMweb data sources are not affected by this issue.
Successful exploitation requires a clinician or other authenticated user to follow a crafted link, making this a user-interaction-dependent attack. However, the confidentiality impact is rated high because a stolen Bearer token grants the attacker access to authenticated sessions. The vulnerability is classified under CWE-918 (Server-Side Request Forgery).
The affected product is deployed worldwide across the healthcare and public health critical infrastructure sector.
Remediation
OHIF released version 3.12.2 on May 18, 2026, which addresses the vulnerability. Users should upgrade to v3.12.2 or later as the primary remediation step.
Operators who must retain DICOMWebProxy or DICOMJSON functionality in authenticated deployments have an additional requirement: configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js. This explicitly restricts which origins those data sources may contact.
As a further hardening measure, CISA recommends that any deployments running OHIF with authentication remove all unused DicomWebProxyDataSource and DicomJSONDataSource entries from active configuration files to reduce attack surface.
Additional Mitigations
- Restrict OHIF deployments from direct internet exposure; place them behind firewalls and isolate them from business networks.
- Where remote access is required, use VPNs kept current with the latest patches.
- Train clinical staff to avoid clicking unsolicited or suspicious links, which is the primary delivery mechanism for this attack.
CISA noted that no known public exploitation of this vulnerability has been reported at the time of publication. The vulnerability was discovered and reported to CISA by Simon Weber and Volker Schönefeld of Machine Spirits UG.
