Plattform
python
Komponente
pydicom
Behoben in
2.0.1
3.0.2
CVE-2026-32711 is a Path Traversal vulnerability discovered in pydicom, a Python library for handling DICOM files. This vulnerability allows an attacker to potentially read, copy, move, or delete arbitrary files outside the intended File-set root directory. The vulnerability affects versions of pydicom up to and including 3.0.1, and a fix is available in version 3.0.2.
The core of the vulnerability lies in how pydicom handles ReferencedFileID within a DICOMDIR file. A malicious actor can craft a DICOMDIR where this ID points to a path outside the designated File-set root. While pydicom performs a check to confirm the existence of the resolved path, it fails to verify that the path remains within the intended boundaries. Subsequent operations, such as copying, writing, and removing files (with use_existing=True), then utilize this unchecked path for file I/O, leading to unauthorized access and manipulation of files on the system. This could result in sensitive data exposure, system compromise, or denial of service depending on the permissions of the process running pydicom.
This vulnerability was publicly disclosed on March 20, 2026. Currently, there are no known active campaigns exploiting CVE-2026-32711, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of Path Traversal vulnerabilities, it is reasonable to expect that POCs and potential exploitation attempts may emerge over time.
Systems utilizing pydicom for DICOM file processing, particularly those handling patient data or medical imaging archives, are at risk. Applications that dynamically construct file paths based on user-supplied data or external inputs are especially vulnerable. Environments with limited access controls or inadequate input validation practices face a higher risk of exploitation.
• python / library:
import os
import pydicom
def check_file_path(dicom_dir_path, file_set_root):
try:
ds = pydicom.dcmread(dicom_dir_path)
referenced_file_id = ds.ReferencedFileID.value
resolved_path = os.path.join(file_set_root, referenced_file_id)
if not resolved_path.startswith(file_set_root):
print(f"Potential Path Traversal: Resolved path {resolved_path} is outside the File-set root.")
else:
print("Path is within the File-set root.")
except Exception as e:
print(f"Error processing DICOMDIR: {e}")
# Example usage (replace with actual paths)
file_set_root = "/path/to/fileset"
dicom_dir_path = "/path/to/malicious_dicomdir.xml"
check_file_path(dicom_dir_path, file_set_root)disclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32711 is to upgrade to pydicom version 3.0.2 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter file access controls to limit the permissions of the process running pydicom. Additionally, input validation on DICOMDIR files can help prevent the injection of malicious ReferencedFileID values. While a WAF is unlikely to directly address this vulnerability, it could be configured to monitor for unusual file access patterns. After upgrading, confirm the fix by attempting to create a DICOMDIR with a ReferencedFileID pointing outside the File-set root and verifying that the operation is rejected.
Actualice la biblioteca pydicom a la versión 3.0.2 o superior. Esta versión corrige la vulnerabilidad de path traversal. Puede actualizar usando pip: `pip install --upgrade pydicom`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32711 is a Path Traversal vulnerability in pydicom affecting versions up to 3.0.1, allowing attackers to potentially read, copy, move, or delete files outside the intended directory.
You are affected if you are using pydicom version 3.0.1 or earlier. Upgrade to 3.0.2 or later to mitigate the vulnerability.
Upgrade to pydicom version 3.0.2 or later. If upgrading is not possible, implement stricter input validation on DICOMDIR files.
As of the disclosure date, there is no evidence of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the pydicom project's official website and security advisories for the latest information and updates regarding CVE-2026-32711.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.