Risk Summary
Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link.
CVEs (1)
Remediations
- The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).
- Users are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js.
- Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with.
Affected Vendors
Open Health Imaging Foundation (OHIF)
Affected Products (1)
Open Health Imaging Foundation (OHIF)
·
OHIF DICOM Web Viewer Framework
<=v3.12.0
Affected Sectors
Healthcare and Public Health
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more