Path Traversal Vulnerability in pydicom Product by The Pydicom Team
CVE-2026-32711

7.8HIGH

Key Information:

Vendor

Pydicom

Status
Pydicom
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32711?

The pydicom library, which is utilized for processing DICOM files, contains a vulnerability that allows for Path Traversal due to improper handling of the ReferencedFileID in DICOMDIR files. When this ID is crafted maliciously, the library fails to validate that the resultant file path remains within the designated File-set root. This oversight can lead to unauthorized file operations, enabling attackers to read or manipulate files outside of the intended directory, potentially affecting system integrity. The issue has been addressed and resolved in version 3.0.2.

Affected Version(s)

pydicom >= 2.0.0-rc.1, < 3.0.2

References

https://github.com/pydicom/pydicom/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pydicom/pydicom/commit/6414f01a053dff9...
x_refsource_MISC
https://github.com/pydicom/pydicom/releases/tag/v3.0.2
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.