Platform
python
Component
pydicom
Fixed in
2.0.1
3.0.2
CVE-2026-32711 is a Path Traversal vulnerability discovered in pydicom, a Python library for handling DICOM files. This vulnerability allows an attacker to potentially read, copy, move, or delete arbitrary files outside the intended File-set root directory. The vulnerability affects versions of pydicom up to and including 3.0.1, and a fix is available in version 3.0.2.
The core of the vulnerability lies in how pydicom handles ReferencedFileID within a DICOMDIR file. A malicious actor can craft a DICOMDIR where this ID points to a path outside the expected File-set root. While pydicom performs a basic existence check on this path, it fails to verify that the resolved path remains within the intended boundaries. Subsequent operations like copying, writing, and deleting files leverage this unchecked path, enabling unauthorized access and manipulation of files on the system. This could lead to sensitive data exposure, system compromise, or denial of service depending on the permissions of the process running pydicom.
As of the public disclosure date (2026-03-20), there is no indication of active exploitation of CVE-2026-32711. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that it could be relatively straightforward to exploit once a suitable PoC is developed.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32711 is to upgrade to pydicom version 3.0.2 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter input validation on DICOMDIR files to prevent the injection of malicious ReferencedFileID values. Web application firewalls (WAFs) configured to detect and block requests containing suspicious paths could also provide a layer of defense. Carefully review any custom code that processes DICOM files and ensure it properly validates file paths before performing any file I/O operations. After upgrading, confirm the fix by attempting to create a DICOMDIR with a ReferencedFileID pointing outside the File-set root and verifying that the operation is rejected.
Actualice la biblioteca pydicom a la versión 3.0.2 o superior. Esta versión corrige la vulnerabilidad de path traversal. Puede actualizar usando pip: `pip install --upgrade pydicom`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32711 is a Path Traversal vulnerability in pydicom affecting versions up to 3.0.1, allowing attackers to potentially read, copy, move, or delete files outside the intended directory.
You are affected if you are using pydicom version 3.0.1 or earlier. Upgrade to 3.0.2 or later to mitigate the vulnerability.
Upgrade to pydicom version 3.0.2 or later. If upgrading is not possible, implement stricter input validation on DICOMDIR files.
As of the disclosure date, there is no evidence of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the pydicom project's official website and security advisories for the latest information and updates regarding CVE-2026-32711.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.