Path Traversal in pynetdicom Allows Unauthenticated Arbitrary File Write (CVE-2026-56445, CVSS 9.1)
CISA's June 25 medical advisory flags CVE-2026-56445, a path traversal flaw in the pydicom project's pynetdicom library (versions 1.0.0 and later) rated CVSS v3 9.1.
At a glance
- CVE-2026-56445 is a path traversal vulnerability in pynetdicom (>= v1.0.0) rated CVSS v3 9.1.
- An unauthenticated attacker could write to arbitrary file paths via the qrscp application's C-STORE handler.
- The flaw stems from using attacker-supplied DICOM dataset values directly in file paths.
VERDICT — CONFIRMED
A path traversal flaw in the pydicom project's pynetdicom library, tracked as CVE-2026-56445 and rated CVSS v3 9.1, allows an unauthenticated attacker to write to arbitrary file paths, per a CISA medical advisory published June 25.
The vulnerability affects pynetdicom versions 1.0.0 and later, per the advisory. It stems from the qrscp application's C-STORE handler using values from attacker-supplied DICOM datasets directly in file paths — letting a remote party who can reach the service dictate where files are written on the host.
The library is deployed worldwide in the healthcare and public health sector, per CISA. Fixed versions, researcher credit and any evidence of in-the-wild exploitation were not carried in the feed and remain unverified here.
Background
pydicom is a long-established open-source Python ecosystem for working with DICOM, the standard format and network protocol for medical imaging. pynetdicom implements DICOM's networking layer, and its bundled qrscp application provides the query, retrieve and storage functions of a small imaging archive. Components of this kind are woven through research pipelines, hospital tooling and vendor products, which is why flaws in them propagate far beyond any single installation.
C-STORE is the DICOM operation by which one system transmits an image object to another for storage. Path traversal arises when input that should name a file within a bounded directory is allowed to contain path components that escape it. An arbitrary file write on a server is frequently a stepping stone to full code execution, since attackers can target startup scripts, scheduled tasks or web-accessible directories.
A 9.1 CVSS rating combined with no authentication requirement places the flaw in the range typically treated as urgent for internet-reachable or poorly segmented deployments — a common condition in healthcare networks that have grown by accretion.
What comes next
The next step for deployers, per standard advisory practice, is to update pynetdicom where a fix is available, restrict network access to DICOM services, and audit hosts running qrscp for unexpected files. Watch the CISA advisory for updates, including the fixed-version details absent from the material here.
Key facts on file
- CVE-2026-56445 is a path traversal vulnerability in pynetdicom (>= v1.0.0) rated CVSS v3 9.1.
- An unauthenticated attacker could write to arbitrary file paths via the qrscp application's C-STORE handler.
- The flaw stems from using attacker-supplied DICOM dataset values directly in file paths.
