CVE-2026-34361

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34361

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34361.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-34361

Aliases

GHSA-vr79-8m62-wh98

Published

2026-03-31T16:56:11.163Z

Modified

2026-04-10T05:43:01.201903Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

Details

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34361.json",
    "cwe_ids": [
        "CWE-552"
    ]
}

References

Affected packages

Git / github.com/hapifhir/org.hl7.fhir.core

Affected ranges

Type

GIT

Repo

https://github.com/hapifhir/org.hl7.fhir.core

Events

Introduced

Fixed

8ac83ba8e6c1f1e1230180a984ffcccfab291e1d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.9.4"
        }
    ]
}

Affected versions

6.*

6.7.11

6.8.1

6.8.2

6.9.0

6.9.1

6.9.2

6.9.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34361.json"