DCMTK storescp
OS Command Injection via Placeholder Substitution
When storescp is configured with --exec-on-reception or --exec-on-eostudy, attacker-controlled DICOM metadata is substituted into shell commands. The existing sanitization covers path separators but not shell metacharacters, resulting in command injection.
edbb085e from DCMTK master.CVECVE-2026-5663Description
The --exec-on-reception and --exec-on-eostudy flags configure storescp to execute a shell command when a DICOM object is received. Placeholder tokens in the command string are substituted with values from the incoming DICOM association and passed to /bin/sh -c.
Three placeholder tokens accept attacker-controlled input: #f (filename, derived from SOP Instance UID), #p (path, derived from Study Instance UID when using --sort-on-study-uid), and #r (reverse DNS hostname of the caller).
The #f and #p placeholders are processed by sanitizeFilename(), which replaces path separator characters:
ofstd/libsrc/ofstd.cc:3405
void OFStandard::sanitizeFilename(OFString& fname){ const size_t len = fname.length(); for (size_t i = 0; i < len; ++i) { if (fname[i] == PATH_SEPARATOR) fname[i] = '_'; }}Shell metacharacters such as semicolons, pipes, backticks, and dollar signs are not affected by this sanitization. The substituted command is passed to the shell:
dcmnet/apps/storescp.cc:2582
execl("/bin/sh", "/bin/sh", "-c", cmd.c_str(), OFreinterpret_cast(char *, 0));The #r placeholder (reverse DNS hostname) is not sanitized before substitution. An attacker who controls the PTR record for their IP address can inject shell metacharacters through the resolved hostname.
In February 2024, the #a and #c placeholders (AE title tokens) received allowlist-based sanitization via sanitizeAETitle() (issue #1109). The #f, #p, and #r placeholders were not included in that change.
DICOM UID fields have a maximum length of 64 characters and whitespace is stripped by the parser. These constraints limit payload length but can be worked around using shell parameter expansion.
Note: VulDB currently lists this vulnerability at CVSS 7.3 (C:L/I:L/A:L). We believe the impact metrics should be C:H/I:H/A:H given the confirmed code execution capability, and have contacted VulDB regarding this scoring.
Impact
- Unauthenticated remote code execution as the storescp process owner via a single DICOM C-STORE request.
- In PACS environments, storescp typically has read/write access to Protected Health Information (PHI).
- DCMTK is packaged in all major Linux distributions. The
--exec-on-receptionflag is the documented integration pattern for PACS servers, DICOM routers, and clinical research infrastructure.
Mitigation
Apply edbb085e from DCMTK master, or update to the next stable release once available. As a workaround, avoid using the #f, #p, and #r placeholders in --exec-on-reception or --exec-on-eostudy commands. The --disable-host-lookup flag disables the #r vector.
References
How We Can Help
Who We Are
The security researchers behind this advisory.
Dr. rer. nat. Simon Weber
Senior Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
Looking for a Penetration Test?
Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.