CVE-2026-49120

Source
https://cve.org/CVERecord?id=CVE-2026-49120
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49120.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49120
Published
2026-06-02T18:05:09.825Z
Modified
2026-07-08T08:15:39.495936446Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N CVSS Calculator
Summary
Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint
Details

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49120.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/medplum/medplum

Affected ranges

Type
GIT
Repo
https://github.com/medplum/medplum
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.1.14"
        }
    ]
}

Affected versions

V0.*
V0.9.18
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.10.0
v0.10.1
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.4.0
v0.4.1
v0.5.0
v0.5.2
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.13
v0.9.15
v0.9.17
v0.9.19
v0.9.2
v0.9.20
v0.9.21
v0.9.22
v0.9.23
v0.9.24
v0.9.25
v0.9.26
v0.9.27
v0.9.28
v0.9.29
v0.9.3
v0.9.30
v0.9.31
v0.9.32
v0.9.33
v0.9.34
v0.9.35
v0.9.36
v0.9.38
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.27
v2.0.28
v2.0.29
v2.0.3
v2.0.30
v2.0.31
v2.0.32
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.15
v2.1.16
v2.1.17
v2.1.18
v2.1.19
v2.1.2
v2.1.20
v2.1.21
v2.1.22
v2.1.23
v2.1.24
v2.1.25
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v3.*
v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.2
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.3
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.1
v4.1.10
v4.1.11
v4.1.12
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.6
v4.3.0
v4.3.1
v4.3.10
v4.3.11
v4.3.12
v4.3.13
v4.3.14
v4.3.15
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1
v4.5.2
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.1.10
v5.1.11
v5.1.12
v5.1.13
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.1.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49120.json"