CVE-2026-32711 Overview
CVE-2026-32711 is a path traversal vulnerability in pydicom, a pure Python package for working with DICOM (Digital Imaging and Communications in Medicine) files. The vulnerability exists in how pydicom handles maliciously crafted DICOMDIR ReferencedFileID values, allowing attackers to manipulate file operations outside the intended File-set root directory. This can lead to arbitrary file read/copy operations and, in certain workflows, file move or delete operations on unauthorized filesystem locations.
Critical Impact
Attackers can exploit this path traversal flaw to read sensitive files, copy protected data, or potentially delete critical system files by manipulating DICOMDIR entries to reference paths outside the File-set root directory.
Affected Products
- pydicom versions 2.0.0-rc.1 through 3.0.1
- Python applications using vulnerable pydicom FileSet operations
- Healthcare imaging systems utilizing pydicom for DICOM file processing
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32711 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32711
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects pydicom's FileSet functionality when processing DICOMDIR files. DICOMDIR is a special DICOM file that contains a directory of all DICOM files within a File-set, using ReferencedFileID attributes to point to individual files. The vulnerability stems from insufficient validation of these ReferencedFileID values.
When pydicom processes a DICOMDIR, it resolves the ReferencedFileID paths to verify file existence but fails to validate that the resolved paths remain within the File-set root directory. This architectural flaw allows path traversal sequences (such as ../) embedded in malicious DICOMDIR entries to reference files outside the intended boundary.
Root Cause
The root cause lies in pydicom's path resolution logic within the FileSet implementation. When processing ReferencedFileID values, the code performs an existence check on the resolved path but does not implement proper path canonicalization and boundary checking. The application trusts the ReferencedFileID value without sanitizing directory traversal sequences, allowing attackers to craft paths that escape the File-set root.
Attack Vector
The attack requires local access and user interaction to process a malicious DICOMDIR file. An attacker crafts a DICOMDIR containing ReferencedFileID entries with path traversal sequences pointing to sensitive files outside the File-set root. When a victim application performs FileSet operations such as copy(), write(), or remove()+write(use_existing=True), these operations are executed on the attacker-specified paths rather than legitimate DICOM files.
The exploitation flow involves distributing a malicious DICOM File-set (potentially disguised as legitimate medical imaging data) to a target system. When the victim's pydicom-based application processes this File-set, it could inadvertently read sensitive files like configuration files or credentials, copy protected data to attacker-accessible locations, or delete critical files when performing remove and write operations.
Detection Methods for CVE-2026-32711
Indicators of Compromise
- DICOMDIR files containing unusual path patterns with ../ or absolute path references in ReferencedFileID values
- File access logs showing pydicom processes accessing files outside expected DICOM storage directories
- Unexpected file operations (read, copy, delete) occurring in system directories during DICOM processing
Detection Strategies
- Implement file integrity monitoring on sensitive directories to detect unauthorized access patterns during DICOM processing
- Monitor application logs for path traversal patterns in DICOM-related operations
- Deploy endpoint detection rules to identify suspicious file operations initiated by Python processes handling DICOM files
Monitoring Recommendations
- Enable verbose logging for applications utilizing pydicom FileSet operations to capture file path details
- Configure alerting for file access attempts outside designated DICOM storage directories
- Implement audit trails for all file operations performed by healthcare imaging applications
How to Mitigate CVE-2026-32711
Immediate Actions Required
- Upgrade pydicom to version 3.0.2 or later immediately
- Audit existing DICOMDIR files in your environment for suspicious ReferencedFileID values
- Restrict file system permissions for processes handling DICOM files to minimize potential impact
- Review and validate any DICOM files received from external sources before processing
Patch Information
The pydicom development team has addressed this vulnerability in version 3.0.2. The fix implements proper path validation to ensure resolved ReferencedFileID paths remain within the File-set root directory before any file I/O operations are performed.
For detailed patch information, refer to the GitHub Commit Details and the official GitHub Release v3.0.2. The GitHub Security Advisory GHSA-v856-2rf8-9f28 provides additional technical details about the vulnerability.
Workarounds
- Implement application-level path validation before passing DICOMDIR files to pydicom for processing
- Run DICOM processing applications in sandboxed environments with restricted filesystem access
- Use chroot or container isolation to limit file access to designated DICOM storage directories
- Validate DICOMDIR files against a whitelist of expected ReferencedFileID patterns before processing
# Upgrade pydicom to patched version
pip install --upgrade pydicom>=3.0.2
# Verify installed version
pip show pydicom | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
