Skip to main content

DCMTK Toolkit CVE-2026-52868

| EUVDEUVD-2026-40417 HIGH
Path Traversal (CWE-22)
2026-06-30 icscert GHSA-998c-fcv7-9f2w
8.8
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated remote read of worklist files (AV:N/AC:L/PR:N/UI:N, C:H); the disclosure-only nature means no integrity or availability impact, unlike the source vector's VI:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 22:01 vuln.today

DescriptionCVE.org

An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separation.

AnalysisAI

Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach DICOM worklist SCP over network
Delivery
Send crafted worklist query with traversal sequence
Exploit
Bypass per-AE directory restriction
Execution
Read worklist records from other area
Impact
Exfiltrate cross-department patient data

Vulnerability AssessmentAI

Exploitation Requires network reachability to a DCMTK Modality Worklist SCP service (e.g., wlmscpfs) configured for a multi-area / multi-AE deployment where worklist records are partitioned into per-AE directories - that multi-area configuration is precisely the setting whose isolation is crossed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) and 8.8 score indicate a remotely reachable, low-complexity, unauthenticated read with high confidentiality impact, which is consistent with the described unauthenticated cross-area worklist disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a hospital's DICOM Modality Worklist service issues crafted worklist queries containing path-traversal sequences to make the DCMTK SCP read worklist files from another AE's directory. Without authenticating, they retrieve scheduled-procedure and patient demographic records belonging to a different department or clinic, breaching tenant separation. …
Remediation Upgrade to the fixed DCMTK release identified in CISA advisory ICSMA-26-181-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01); the references point to the DCMTK GitHub releases page (https://github.com/DCMTK/dcmtk/releases/tag/latest) rather than a specific tagged version, so the upstream fix is available but the exact released patched version is not independently confirmed from the provided data - verify the precise fixed version against the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running OFFIS DCMTK and map network exposure, especially multi-tenant deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy