CVE-2026-34361

Aliases:GHSA-vr79-8m62-wh98
Received
Published: 31 Mar 2026, 16:56
Last modified:31 Mar 2026, 17:24

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.3 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

31 Mar 2026, 16:56
Published
Vulnerability first disclosed
31 Mar 2026, 17:24
Last Modified
Vulnerability information updated

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.

CVSS Metrics

  • v3.1CRITICALScore: 9.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Techniques & Countermeasures

  • CWE-552Files or Directories Accessible to External Parties

    The product makes files or directories accessible to unauthorized actors, even though they should not be.

Affected Systems

  • hapifhirorg.hl7.fhir.core

    < 6.9.4

  • ca.uhn.hapi.fhirorg.hl7.fhir.validation

    < 6.9.4

References (2)