Forem

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32711: CVE-2026-32711: Path Traversal and Arbitrary File Operations in pydicom FileSet

#security #cve #cybersecurity

CVE-2026-32711: Path Traversal and Arbitrary File Operations in pydicom FileSet

Vulnerability ID: CVE-2026-32711
CVSS Score: 7.8
Published: 2026-03-20

CVE-2026-32711 is a high-severity path traversal vulnerability in the pydicom Python library, affecting versions 2.0.0-rc.1 through 3.0.1. The flaw resides in the FileSet implementation, where insufficient validation of the ReferencedFileID attribute allows malicious DICOMDIR files to perform out-of-bounds file reads, copies, or deletions.

TL;DR

A path traversal vulnerability (CWE-22) in pydicom's FileSet parsing allows local arbitrary file operations via maliciously crafted DICOMDIR files. Update to version 3.0.2 or 2.4.5 to mitigate.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Local
  • CVSS Score: 7.8
  • EPSS Score: 0.00016
  • Impact: High (Confidentiality, Integrity, Availability)
  • Exploit Status: Proof of Concept
  • CISA KEV: False

Affected Systems

  • pydicom
  • pydicom: >= 2.0.0-rc.1, <= 3.0.1 (Fixed in: 3.0.2)

Code Analysis

Commit: 6414f01

Main branch fix for path traversal vulnerability in FileSet

Commit: ed4ddea

Backport fix for path traversal vulnerability in FileSet to v2.4.5

Mitigation Strategies

  • Upgrade to a patched version of pydicom (3.0.2 or 2.4.5).
  • Execute pydicom scripts processing untrusted data in unprivileged, isolated containers.
  • Enforce strict filesystem permissions, ensuring the Python process cannot read or write sensitive system files.

Remediation Steps:

  1. Identify all projects and virtual environments utilizing the pydicom library.
  2. Update the dependency using pip install --upgrade pydicom>=3.0.2 for 3.x environments.
  3. Update the dependency using pip install --upgrade pydicom>=2.4.5 for 2.x environments.
  4. Verify the installed version by running python -c "import pydicom; print(pydicom.__version__)".

References

Read the full report for CVE-2026-32711 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)