Researchers have disclosed critical vulnerabilities in two widely used pieces of open-source medical imaging software, including one flaw that remains unpatched because the project maintainer has not responded.
The bugs affect tools built around DICOM, the standard format hospitals use to store and exchange medical images such as X-rays, CT scans, and MRIs. Simon Weber and Volker Schoenefeld of Machine Spirits UG reported both issues, which were published in CISA advisories. The software is deployed in healthcare environments worldwide.
What is affected
The more serious flaw, CVE-2026-56445 (CVSS 9.1), is a path traversal weakness in pynetdicom, a popular Python library for moving DICOM data over a network. Its file-receiving component builds a save path from attacker-supplied data without sanitizing it, so an unauthenticated attacker can write files to arbitrary locations on the server, a foothold that often leads to full remote code execution. All versions from 1.0.0 up to 3.0.4 are affected, and CISA says the maintainer has not responded to requests to coordinate a fix.
The second flaw, CVE-2026-12473 (CVSS 8.2), is a server-side request forgery (SSRF) bug in OHIF Viewers, a web-based DICOM image viewer. Two data sources shipped in the default configuration fetch a URL supplied by an attacker, and OHIF automatically attaches the logged-in clinician's authentication token to that request, handing the token to an attacker-controlled server. A stolen token can let an attacker act as that clinician. Versions up to and including 3.12.0 are affected.
What you should do
OHIF users should upgrade to version 3.12.2 or later, remove any unused DicomWebProxy and DicomJSON data source configurations, and, where those sources are required, configure the new allowlist for trusted origins. Because pynetdicom has no fix, operators should isolate any service built on it, keep it off the public internet, and tightly restrict which systems can connect to it. The project page is hxxps://github[.]com/pydicom/pynetdicom.
Healthcare remains one of the most targeted sectors in cyber operations. See our reporting on a claimed breach of a major national healthcare network and an analysis of the ransomware kill chain behind the Change Healthcare mega-breach.
Indicators
- CVE-2026-56445 (pynetdicom path traversal, unpatched)
- CVE-2026-12473 (OHIF Viewers SSRF, fixed in 3.12.2)
- hxxps://github[.]com/pydicom/pynetdicom
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.