TL;DR
CISA published an advisory for five DCMTK vulnerabilities on 30 June 2026. The DICOM toolkit powers medical imaging on many hospital systems. The worst flaw lets a malicious server write files onto a client. No exploitation in the wild has been confirmed.
Why It Matters
DCMTK handles DICOM images across PACS, scanners, and workstations. So these DCMTK vulnerabilities touch core clinical workflows. CISA links the affected toolkit to the healthcare sector. A file write or crash on a medical device can disrupt patient care. Imaging systems often trust peers on the same network without much scrutiny. Four of the five flaws need no authentication.
How the Attacks Work
Path traversal and file write (CVE-2026-50003)
A malicious or compromised server can abuse bit-preserving C-GET storage mode. So the client writes received files outside its output directory. Both relative and absolute paths work here. That gives an attacker a way to tamper with saved study files. This critical flaw scores CVSS 9.8.
Worklist data exposure (CVE-2026-52868)
An unauthenticated attacker can read worklist records from another storage area. As a result, departmental or clinic data separation can break. This can undo tenant isolation in a shared clinic setup. This flaw rates CVSS 8.2.
Denial of service (CVE-2026-50254, CVE-2026-35505, CVE-2026-44628)
Two flaws leak memory through repeated connection requests. So a single-process service exhausts memory and stops responding. A third flaw crashes the worklist server with one crafted query. Each rates around CVSS 7.5.
Affected Versions
All five flaws affect OFFIS DCMTK version 3.7.0 and earlier.
Patch and Mitigation
The maintainer has released a fix in the latest source. So update to the newest DCMTK build from GitHub. Until you patch, isolate DICOM traffic on a segmented network. Also keep DICOM services off the public internet. Finally, run those services with least privilege.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.