Description
The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.
Published: 2026-06-25
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The qrscp application’s C‑STORE handler copies an attacker‑supplied path from a DICOM dataset into os.path.join() without sanitization, allowing the attacker to craft a file name that resolves to any filesystem location. This flaw is a classic path‑traversal weakness (CWE‑22) and enables the creation or overwriting of arbitrary files on the host. The consequence is a severe breach of confidentiality, integrity, or availability if critical files are targeted.

Affected Systems

Products affected are the pydicom and pynetdicom libraries that implement the version information is provided, implying that all releases containing this code path may be vulnerable and should be evaluated for the presence of the flaw.

Risk and Exploitability

The CVSS score of 8.8 assigns this vulnerability to high severity. The EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, suggesting a moderate exploitation probability, but the potential impact remains significant. Likely attack vectors involve a remote, possibly untrusted, DICOM client that can send a specially crafted dataset to the target service, requiring the C‑STORE endpoint to be reachable from an external network.

Generated by OpenCVE AI on June 25, 2026 at 23:28 UTC.

Remediation

Vendor Workaround

The maintainer of pynetdicom has not responded to requests to work with CISA to mitigate this vulnerability. For update information, refer to the github page [https://github.com/pydicom/pynetdicom](https://github.com/pydicom/pynetdicom).

OpenCVE Recommended Actions

  • Upgrade the pydicom and pynetdicom libraries to a fixed release when one becomes available
  • Check the project's GitHub repository for updates or community‑issued patches
  • If an immediate upgrade is not feasible, restrict the DICOM C‑STORE service’s filesystem permissions or run it within a sandboxed environment to limit write access
  • As a temporary workaround, patch the code to sanitize the file name extracted from the DICOM dataset before passing it to os.path.join, ensuring it resolves only within an allowed base directory

Generated by OpenCVE AI on June 25, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.
Title pydicom pynetdicom Library Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-25T20:46:44.045Z

Reserved: 2026-06-22T15:47:37.774Z

Link: CVE-2026-56445

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')