How is CVE-2026-50003 exploited?

Network reachability (required): The attacker must operate a reachable DICOM server over the network that the DCMTK client connects to, as indicated by AV:N in the CVSS vector. Authentication (not-required): No credentials or account privileges are needed to exploit this vulnerability; PR:N indicates the attack proceeds without any authentication barrier. Victim interaction (not-required): No user interaction is required beyond the DCMTK client's normal operation of connecting to a DICOM server, as indicated by UI:N. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond a client connecting to the attacker-controlled server.

What is the impact of CVE-2026-50003?

Writes arbitrary files to any path on the client host filesystem, including outside the designated output directory, by supplying relative (../) or absolute paths in server responses. Overwrites existing files such as configuration files, executables, or scripts, enabling follow-on code execution on the affected host. Corrupts or replaces medical imaging data stored on the client system, directly affecting data integrity in DICOM workflows.

Back to search

CRITICALCVE-2026-50003Published 2026-06-30Modified 2026-06-30CNA icscert

CVE-2026-50003: OFFIS DCMTK Toolkit Path Traversal

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in the OFFIS DCMTK Toolkit (versions up to and including 3.7.0) allows a malicious or compromised DICOM server to direct a connecting client to write files outside its intended output directory. The attack is reachable over the network with no authentication required, as derived from the CVSS v4.0 vector (AV:N, PR:N). Successful exploitation gives an attacker arbitrary file write on the client host, enabling data tampering and potential code execution by overwriting trusted files. No fix has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-50003 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle DCMTK. Coverage extends to images in both connected registries and active CI/CD pipelines.

Available

Triage

Triage is available using the CVSS v4.0 base score of 9.3 (Critical), weighted against each customer organization's compliance policy to determine priority routing. Findings are dispatched to the appropriate team inbox within each customer environment based on configured ownership and severity thresholds.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the OFFIS DCMTK advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must operate a reachable DICOM server over the network that the DCMTK client connects to, as indicated by AV:N in the CVSS vector.
AuthenticationNot required
No credentials or account privileges are needed to exploit this vulnerability; PR:N indicates the attack proceeds without any authentication barrier.
Victim interactionNot required
No user interaction is required beyond the DCMTK client's normal operation of connecting to a DICOM server, as indicated by UI:N.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond a client connecting to the attacker-controlled server.

Blast Radius

Writes arbitrary files to any path on the client host filesystem, including outside the designated output directory, by supplying relative (../) or absolute paths in server responses.
Overwrites existing files such as configuration files, executables, or scripts, enabling follow-on code execution on the affected host.
Corrupts or replaces medical imaging data stored on the client system, directly affecting data integrity in DICOM workflows.

How HarborGuard Handles This

Available on HarborGuard: images containing OFFIS DCMTK at or below version 3.7.0 are flagged as affected by this Critical-severity path traversal as soon as the CVE is ingested, typically within minutes of advisory publication. Because no upstream fix exists at this time, HarborGuard monitors the OFFIS advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. While awaiting an upstream patch, compensating controls worth considering include network-policy rules that restrict DCMTK client containers to connecting only to trusted DICOM server addresses, egress filtering to prevent connections to unknown endpoints, and disabling bit-preserving C-GET storage mode if the application supports an alternative retrieval configuration.

See how HarborGuard automates this

Affected packages

OFFIS DICOM / DCMTK Toolkit
≤ 3.7.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified