CVE-2026-32711
Published: 20 March 2026
Summary
CVE-2026-32711 is a high-severity Path Traversal (CWE-22) vulnerability in Pydicom Pydicom. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation of untrusted inputs like the DICOMDIR ReferencedFileID to ensure resolved paths stay within the File-set root.
Addresses the vulnerability by monitoring for flaws in pydicom and remediating through timely updates to the fixed version 3.0.2.
Enforces logical access controls to restrict file I/O operations outside the intended File-set root directory during copy, write, and remove operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered by user processing a crafted DICOMDIR file (T1204.002 Malicious File), directly enabling arbitrary reads/copies of local files outside intended root (T1005 Data from Local System) and file removal/move operations (T1070.004 File Deletion).
NVD Description
pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the…
more
path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.
Deeper analysisAI
CVE-2026-32711 is a path traversal vulnerability (CWE-22) in pydicom, a pure Python package for working with DICOM files. Versions from 2.0.0-rc.1 through 3.0.1 are affected. The issue arises when processing a maliciously crafted DICOMDIR file where the ReferencedFileID is set to a path outside the File-set root. While pydicom resolves the path to confirm its existence, it fails to verify that the resolved path remains under the File-set root. This unchecked path is then used in subsequent FileSet operations, such as copy(), write(), and remove()+write(use_existing=True), enabling unintended file I/O outside the intended directory. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by tricking a user into processing a specially crafted DICOMDIR file with pydicom. No privileges are required (PR:N), but user interaction is needed (UI:R), such as opening or loading the file in an application using the vulnerable library. Successful exploitation allows arbitrary file read and copy operations outside the File-set root, and in certain workflows, file move or delete actions. This provides high confidentiality, integrity, and availability impacts on the local filesystem.
The vulnerability has been fixed in pydicom version 3.0.2. Security practitioners should upgrade to this version or later. Relevant resources include the fixing commit at https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82, the release notes at https://github.com/pydicom/pydicom/releases/tag/v3.0.2, and the GitHub security advisory at https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28.
Details
- CWE(s)