Platform
java
Component
ca.uhn.hapi.fhir:org.hl7.fhir.validation
Fixed in
6.9.5
6.9.4
CVE-2026-34361 is a Server-Side Request Forgery (SSRF) vulnerability affecting HAPI FHIR, a Java-based HL7 FHIR standard implementation. This flaw allows unauthenticated attackers to make outbound HTTP requests to attacker-controlled URLs, potentially stealing authentication tokens. The vulnerability affects HAPI FHIR versions less than or equal to 6.9.4. Version 6.9.4 addresses this issue.
CVE-2026-34361 in org.hl7.fhir.core affects the FHIR Validator HTTP service, specifically the unauthenticated /loadIG endpoint which makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This allows for the exfiltration of sensitive credentials, compromising the security of healthcare data.
An attacker could exploit this vulnerability by setting up a malicious HTTP server that mimics a legitimate FHIR server. By registering a domain that matches a URL prefix of a vulnerable FHIR server, the attacker can trick the FHIR validation service into sending authentication requests to their malicious server. The malicious server can then intercept and steal the authentication tokens. The complexity of exploitation depends on the FHIR environment configuration and the availability of a domain matching the vulnerable URL prefix. The lack of authentication on /loadIG facilitates exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34361 is to upgrade to version 6.9.4 or higher of org.hl7.fhir.core. This version corrects the startsWith() URL prefix matching flaw in ManagedWebAccessUtils.getServer(). Additionally, it's recommended to restrict access to the /loadIG endpoint to trusted sources and consider implementing authentication for this endpoint. Audit credential provider configurations to ensure no broad URL prefixes exist that could be exploited. Implementing a Web Application Firewall (WAF) can help detect and block exploitation attempts.
Actualice HAPI FHIR a la versión 6.9.4 o superior. Esta versión corrige la vulnerabilidad SSRF y la fuga de credenciales. La actualización evitará que atacantes no autenticados exploten el endpoint /loadIG para realizar solicitudes HTTP a URLs controladas por el atacante y robar tokens de autenticación.
Vulnerability analysis and critical alerts directly to your inbox.
FHIR (Fast Healthcare Interoperability Resources) is a healthcare data interoperability standard that facilitates the exchange of information between different healthcare systems.
This vulnerability could allow attackers to steal authentication credentials, potentially granting them unauthorized access to confidential healthcare data.
Immediately upgrade to version 6.9.4 or higher of org.hl7.fhir.core.
In addition to upgrading, restrict access to /loadIG, implement authentication, and audit your credential provider configurations.
Currently, there are no specific tools to detect this vulnerability, but security audits and penetration testing are recommended.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.