CVE-2026-34361
Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ca.uhn.hapi.fhir:org.hl7.fhir.validationMaven | < 6.9.4 | 6.9.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-vr79-8m62-wh98nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-vr79-8m62-wh98ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34361ghsaADVISORY
News mentions
0No linked articles in our index yet.