Security researchers have uncovered multiple vulnerabilities in a widely used DICOM toolkit.
What happened
According to Bank Info Security, several newly disclosed vulnerabilities in the widely used OFFIS DCMTK (DICOM Toolkit) could expose healthcare organizations to cyberattacks that compromise patient information, disrupt medical imaging services, and introduce broader risks across the software supply chain.
Independent security researcher Abhinav Agarwal identified the critical- and high-severity flaws using artificial intelligence-assisted security testing and reported them to the toolkit's developers and the Cybersecurity and Infrastructure Security Agency (CISA) in May. CISA published an advisory on the vulnerabilities this week.
The affected toolkit implements the Digital Imaging and Communications in Medicine (DICOM) standard, which forms the basis for the storage, transmission, and processing of medical images across hospitals and healthcare organizations worldwide. It is widely used in radiology, cardiology, radiotherapy, and other diagnostic imaging environments.
In the know
The Digital Imaging and Communications in Medicine (DICOM) standard is the global standard for storing, transmitting, and managing medical images and related patient information. It enables imaging devices and healthcare systems, such as CT scanners, MRI machines, X-ray systems, picture archiving and communication systems (PACS), and electronic health records, to exchange imaging data seamlessly, ensuring clinicians can access the information they need for diagnosis and treatment.
Going deeper
The vulnerabilities affect OFFIS DCMTK, an open-source toolkit that supports the DICOM standard used to store, process, and share medical images across healthcare systems. According to independent researcher Abhinav Agarwal, who discovered the flaws, the vulnerabilities could have a range of consequences if exploited.
The identified vulnerabilities include CVE-2026-52868, CVE-2026-50003, CVE-2026-44628, CVE-2026-35505, and CVE-2026-50254. These could result in:
- Exposure of patient information: One vulnerability could allow unauthorized users to access sensitive patient information contained in scheduling and procedure records, potentially compromising protected health information.
- Unauthorized file changes: A critical vulnerability could allow a malicious imaging server to influence where files are saved on a vulnerable system, increasing the risk of files being altered or stored in unintended locations.
- Disruption of imaging services: Another flaw could enable an attacker to crash a DICOM worklist server, preventing clinicians from accessing scheduling information needed for imaging procedures.
- Memory exhaustion attacks: Two additional vulnerabilities could gradually consume a system's available memory through repeated malicious requests, eventually causing DICOM storage or communication services to slow down or stop working altogether.
Agarwal noted that many healthcare organizations may be using software that incorporates the vulnerable DCMTK toolkit without realizing it. As a result, the flaws could affect a wide range of imaging products, including picture archiving and communication systems (PACS), vendor-neutral archives, DICOM routers, imaging workstations, and medical image viewers.
What was said
According to Bank Info Security, Agarwal emphasized that healthcare organizations should not dismiss the flaws as routine software bugs, stating, “These are not ordinary web bugs. They affect DICOM software used in medical-imaging workflows, where availability, patient metadata protection and downstream software-supply-chain visibility matter.”
He added that “While the vendor has applied fixes in the master branch, there is no release version with the fixes. So, downstream libraries and operators have no way to release with the fix to upgrade to it. The only option is to either patch the changes themselves or wait for a release to be out.”
The bigger picture
The newly disclosed flaws are the latest in a growing series of security issues affecting DICOM software. Earlier this year, CISA warned about a separate high-severity vulnerability in the Grassroots DICOM (GDCM) library that could allow attackers to exhaust system memory and crash medical imaging applications using specially crafted image files. That flaw illustrated how vulnerabilities in core DICOM libraries can disrupt clinical operations even without directly targeting hospital infrastructure.
While the vulnerabilities affect different DICOM toolkits, both incidents draw attention to the security of the software that supports medical imaging systems used across healthcare organizations.
Go deeper: CISA warns flaw could crash medical imaging systems
Why it matters
Medical imaging systems aid in diagnosing and treating patients, and many healthcare organizations rely on software built on shared DICOM toolkits without knowing it. That means a vulnerability in a widely used toolkit such as DCMTK could affect multiple imaging products across different hospitals and healthcare providers.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQS
What types of patient information could be exposed?
Depending on how the affected software is used, vulnerabilities could expose information associated with medical imaging, such as patient names, procedure details, scheduling information, or other metadata linked to imaging studies.
Could these vulnerabilities affect medical devices?
Potentially. If a medical device or imaging application incorporates the vulnerable DCMTK toolkit, it could be affected until the software is updated by the manufacturer.
