CVE-2026-32711

Name of the Vulnerable Software and Affected Versions pydicom versions 2.0.0-rc.1 through 3.0.1

Description pydicom is susceptible to a path traversal issue when processing maliciously crafted DICOM files. Specifically, a crafted DICOMDIR can set ReferencedFileID to a path outside the expected File-set root. The software only verifies the existence of the path but does not confirm that it remains within the designated root directory. Subsequent operations like copy(), write(), and remove()+write(use existing=True) then utilize this unchecked path for file I/O, potentially allowing arbitrary file read, copy, move, or deletion outside the intended File-set root. This is due to the lack of a containment check to ensure the resolved path is within the File-set root. A realistic scenario involves a user uploading a malicious DICOM File-set zip, which the server then loads and re-exports, potentially including server-local files referenced by the malicious DICOMDIR in the exported result.

Recommendations Update to pydicom version 3.0.2 or later.