Denial of Service Vulnerability in DCMTK Worklist Server
CVE-2026-44628

8.7HIGH

Key Information:

Vendor: Offis Dicom
Status: Dcmtk Toolkit
Vendor: CVE Published:; 30 June 2026

🔔 Create Offis Dicom Vulnerability Alert

What is CVE-2026-44628?

An unauthenticated attacker can exploit a flaw in the DCMTK Worklist Server to induce a denial of service by sending a specially crafted query. This can result in the server crashing when it possesses a valid Called AE Title, an expected lockfile, and at least one corresponding worklist record, rendering the service unavailable. Timely updates and proper configurations are crucial to mitigate this risk.

Affected Version(s)

DCMTK Toolkit 0 <= 3.7.0

References

https://github.com/DCMTK/dcmtk/releases/tag/latest

https://www.cisa.gov/news-events/ics-medical-advisories/i...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

Abhinav Agarwal reported this vulnerability to CISA

CVE-2026-44628 Data

JSON