OHIF DICOM CVE-2026-12473 can steal clinician tokens

CISA's advisory is specific and ugly in the way token bugs are specific and ugly. OHIF Viewers DICOM <=v3.12.0 ships two data sources, DICOMWebProxy and DICOMJSON, that fetch an arbitrary URL parameter without validation. In authenticated deployments, OHIF's global authentication service adds the user's OIDC Bearer token to the resulting request. A crafted link can therefore turn the viewer into the delivery mechanism for a clinician credential. CISA says no known public exploitation has been reported.

Remediation is configuration work as much as patch work. OHIF fixed the issue in v3.12.2, released May 18, 2026, and CISA tells users to upgrade. Operators that still need dicomwebproxy or dicomjson in authenticated deployments must configure dangerouslyAllowedOriginsForAuthenticatedEnvironments in app-config.js. Teams running OHIF with authentication should also remove unused DicomWebProxyDataSource and DicomJSONDataSource entries from the deployment config. DICOMweb data sources are outside the affected set.

CISA had already pulled DICOM software into ICS medical advisories, including MicroDicom DICOM Viewer bugs in May and June 2025 (May advisory, June advisory) and an Orthanc Osimis DICOM Web Viewer cross-site scripting issue in 2024 (advisory). OHIF changes the practitioner problem. Healthcare application owners and municipal or government health IT teams need an inventory of OHIF versions and authenticated data-source configs before the scanner line turns into a token-theft path.