CISA has published an advisory warning of a critical path traversal vulnerability in the pynetdicom library, a widely used Python toolkit for DICOM networking maintained by the pydicom project. The flaw carries a CVSS v3.1 base score of 9.1 (Critical) and affects all releases from version 1.0.0 through versions prior to 3.0.4.

Vulnerability Details

The issue, tracked as CVE-2026-56445, resides in the qrscp application’s C-STORE handler. The handler passes an instance identifier drawn directly from an attacker-supplied DICOM dataset into Python’s os.path.join() function without first sanitizing or validating the input. Because no path restriction is enforced, a remote, unauthenticated attacker can craft a malicious DICOM dataset to cause the application to write data to arbitrary filesystem paths on the target host.

The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS v3.1 vector string reflects network-accessible attack surface, low complexity, no privileges required, and no user interaction needed, with high impact to both integrity and availability.

Affected Products and Scope

  • Vendor: pydicom
  • Product: pynetdicom versions 1.0.0 and later, up to but not including 3.0.4
  • Deployment: Worldwide, with particular relevance to Healthcare and Public Health critical infrastructure sectors

Remediation and Vendor Response

CISA notes that the maintainer of pynetdicom has not responded to requests to collaborate on mitigating this vulnerability. Organizations should consult the official pynetdicom GitHub repository for patch availability and update to version 3.0.4 or later as soon as a fix is confirmed.

In the interim, CISA recommends the following defensive measures:

  • Remove DICOM services from direct internet exposure and place them behind firewalls, isolated from general business networks.
  • Require remote access to pass through a VPN or similarly secured channel, and keep VPN software current.
  • Monitor for unexpected file creation activity on hosts running pynetdicom-based services.

Researcher Credit

Simon Weber and Volker Schönefeld of Machine Spirits UG reported the vulnerability to CISA. No known public exploitation has been reported at the time of the advisory’s initial publication on June 25, 2026.