Executive Summary

CVE-2026-32711 is a high-severity path traversal vulnerability in the pydicom Python library, which is used for working with DICOM files. The issue occurs when a maliciously crafted DICOMDIR file sets the ReferencedFileID attribute to a path outside the intended File-set root directory.

pydicom resolves the path to check if the file exists but does not verify that the resolved path remains within the File-set root. This lack of containment check allows attackers to perform arbitrary file operations such as reading, copying, moving, or deleting files outside the intended directory.

The vulnerability affects versions 2.0.0-rc.1 through 3.0.1 and was fixed in version 3.0.2 by adding strict path validation to ensure ReferencedFileID paths cannot escape the File-set root.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized file operations on your system if you use vulnerable versions of pydicom to process untrusted DICOMDIR or File-set inputs.

• Arbitrary file read and copy outside the File-set root, potentially exposing sensitive files.
• Arbitrary file move operations outside the File-set root, which could overwrite or relocate important files.
• Arbitrary file deletion outside the File-set root, leading to loss of critical data.

These impacts can compromise confidentiality, integrity, and availability of your system files, leading to serious security risks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting DICOMDIR files for maliciously crafted ReferencedFileID attributes that point to paths outside the intended File-set root directory.'}, {'type': 'paragraph', 'content': 'A practical detection approach involves loading DICOMDIR files with pydicom versions prior to 3.0.2 and checking if any ReferencedFileID resolves to paths outside the File-set root.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to path traversal in file operations, you can write a script or use Python commands to load the DICOMDIR and verify the resolved paths of ReferencedFileID entries.'}, {'type': 'list_item', 'content': "Use Python with pydicom (version 3.0.1 or earlier) to load the FileSet and inspect ReferencedFileID paths for traversal patterns such as '../' or absolute paths."}, {'type': 'list_item', 'content': "Example command snippet: \n```python\nfrom pydicom.fileset import FileSet\nfs = FileSet('path_to_DICOMDIR')\nfor record in fs.directory_record_sequence:\n file_id = record.ReferencedFileID\n # Check if file_id resolves outside fs.root_path\n```"}, {'type': 'paragraph', 'content': "Monitoring file operations triggered by pydicom's FileSet methods like copy(), write(), or remove() for unexpected file accesses outside the File-set root can also help detect exploitation attempts."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade pydicom to version 3.0.2 or later, where the vulnerability has been fixed by enforcing strict path validation on ReferencedFileID entries.

If upgrading is not immediately possible, avoid processing untrusted or unauthenticated DICOMDIR/File-set inputs with vulnerable pydicom versions, especially operations involving FileSet.copy(), write(), or remove().

Implement input validation or sandboxing to restrict file operations to trusted directories and monitor for suspicious file access patterns.

Useful 0 Not Useful 0