CVE-2026-34361

CRITICAL

HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

Title source: cna

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.

References (1)

[X_Refsource_Confirm] https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-vr79-8m62-wh98

Scores

CVSS v3 9.3

EPSS 0.0006

EPSS Percentile 18.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Details

CWE

CWE-552

Status published

Products (3)

ca.uhn.hapi.fhir/org.hl7.fhir.validation 0 - 6.9.4Maven

hapifhir/hl7_fhir_core < 6.9.4

hapifhir/org.hl7.fhir.core < 6.9.4

Published Mar 31, 2026

Tracked Since Mar 31, 2026