Description
pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file read/write outside the File-set root via path traversal
Action: Patch
AI Analysis

Impact

A maliciously crafted DICOMDIR ReferencedFileID can point to files outside the intended File‑set root. The library resolves the path only to confirm existence, but does not check that the resolved path remains inside the root. When common FileSet operations such as copy(), write(), or remove()+write(use_existing=True) later use that unchecked path, an attacker can read, copy, and in some flows move or delete arbitrary files. The weakness corresponds to CWE‑22 (Path Traversal). The CVSS score of 7.8 indicates a high severity impact on confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the Python package pydicom, versions 2.0.0‑rc.1 through 3.0.1 inclusive. The issue was fixed in release 3.0.2, so any system using the older versions of this library is potentially exposed. Users of pydicom in any Python environment that processes DICOMDIR files should verify the version they are running.

Risk and Exploitability

The attack requires delivery of a crafted DICOMDIR file to an application that imports pydicom and performs FileSet operations such as copy or write. Because the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, active exploitation is currently low, but the high CVSS score means significant damage is possible if exploited. Industries processing medical imaging data that import DICOMDIR files with pydicom should consider the risk of arbitrary file access if the library is not updated.

Generated by OpenCVE AI on March 23, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pydicom to version 3.0.2 or newer

Generated by OpenCVE AI on March 23, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v856-2rf8-9f28 pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root
History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pydicom:pydicom:*:*:*:*:*:python:*:*

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pydicom
Pydicom pydicom
Vendors & Products Pydicom
Pydicom pydicom

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.
Title pydicom: Path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Pydicom Pydicom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:41:56.917Z

Reserved: 2026-03-13T14:33:42.824Z

Link: CVE-2026-32711

cve-icon Vulnrichment

Updated: 2026-03-20T16:41:52.638Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:33.600

Modified: 2026-03-23T17:02:26.190

Link: CVE-2026-32711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:09Z

Weaknesses