Home » Database

AVID-2026-R1650

Description

Orthanc Server Missing Authentication for Critical Function (CVE-2025-0896)

Details

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.

Reason for inclusion in AVID: CVE-2025-0896 describes a network-accessible missing authentication vulnerability in Orthanc Server, enabling unauthorized access with high impact. Orthanc can function as a data ingestion/serving component in AI-enabled medical imaging pipelines, making this a software supply-chain issue affecting general-purpose AI systems when such components are used in data workflows, model training, or deployment. Evidence is provided by the CVE entry and CVSS data.

References

Affected or Relevant Artifacts

  • Developer: Orthanc
  • Deployer: Orthanc
  • Artifact Details:
TypeName
SystemOrthanc server

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score9.8
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-306CWE-306 Missing Authentication for Critical Function

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-02-13
  • Version: 0.3.3
  • AVID Entry