Description
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.
References (4)
Core 4
Core References
Various Sources
https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326
Various Sources
https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252
Scores
CVSS v4
4.7
EPSS
0.0041
EPSS Percentile
32.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (1)
orthanc-server/orthanc
< 1.12.9
Published
Feb 18, 2026
Tracked Since
Feb 19, 2026