CVE-2026-21851 is a path traversal vulnerability classified under CWE-22 found in the Medical Open Network for AI (MONAI) toolkit, specifically in versions up to and including 1.5.1. MONAI is widely used for AI-driven healthcare imaging applications. The vulnerability resides in the _download_from_ngc_private() function, which downloads and extracts ZIP archives from NVIDIA’s NGC private repository. Unlike other download functions in MONAI that use a safe_extract_member() function to validate file paths during extraction, this function uses Python’s zipfile.ZipFile.extractall() method directly without validating the paths of the extracted files. This improper limitation of pathname allows an attacker to craft a malicious ZIP archive containing files with path traversal sequences (e.g., ../) that can overwrite arbitrary files on the filesystem when extracted. The vulnerability requires no privileges and no authentication but does require user interaction to trigger the download and extraction process. The CVSS v3.1 score is 5.3 (medium severity), reflecting the network attack vector, high attack complexity, no privileges required, and user interaction needed. The impact primarily affects integrity, as arbitrary files can be overwritten, potentially leading to code execution or disruption of the AI imaging pipeline. The issue was fixed in a commit identified as 4014c8475626f20f158921ae0cf98ed259ae4d59 by adding proper path validation during ZIP extraction. No known exploits in the wild have been reported to date. Given MONAI’s role in healthcare AI, exploitation could undermine trust in medical imaging results or disrupt clinical workflows.

For European organizations, particularly healthcare providers and research institutions leveraging MONAI for AI-driven medical imaging, this vulnerability poses a risk to the integrity of their systems and data. Successful exploitation could allow attackers to overwrite critical files, potentially injecting malicious code or corrupting AI models and imaging data. This could lead to misdiagnosis, disruption of clinical services, or exposure to further attacks. Since MONAI is used in sensitive healthcare environments, the impact extends beyond IT systems to patient safety and regulatory compliance under GDPR and medical device regulations. The requirement for user interaction and the high attack complexity somewhat limit widespread exploitation, but targeted attacks against healthcare AI pipelines remain a concern. The absence of known exploits suggests limited current threat activity, but the vulnerability’s presence in a critical healthcare AI toolkit necessitates proactive mitigation to prevent future incidents.

European organizations should immediately update MONAI to a version later than 1.5.1 that includes the fix for CVE-2026-21851. If updating is not immediately feasible, implement manual path validation when extracting ZIP files in any custom workflows involving MONAI’s _download_from_ngc_private() function. Specifically, ensure that extracted file paths are sanitized to prevent directory traversal sequences and restrict extraction to intended directories. Additionally, restrict network access to trusted sources such as NVIDIA’s NGC repository and monitor for unusual file modifications in AI pipeline directories. Employ application whitelisting and integrity monitoring on systems running MONAI to detect unauthorized changes. Educate users about the risks of interacting with untrusted downloads within the AI toolkit environment. Finally, maintain up-to-date backups of critical AI models and imaging data to enable recovery in case of compromise.