Server-Side Request Forgery in HAPI FHIR Validator HTTP Service
CVE-2026-34360

5.8MEDIUM

Key Information:

Vendor: Hapifhir
Status: Org.hl7.fhir.core
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-34360?

The HAPI FHIR Validator HTTP service contains a vulnerability that exposes it to server-side request forgery (SSRF) due to inadequate validation of user-supplied URLs. Specifically, the /loadIG endpoint permits unauthenticated attackers on the network to exploit this by submitting a crafted JSON request. This action allows them to make unauthorized HTTP requests, potentially accessing sensitive internal services and revealing network configurations through error-based information leakage. This vulnerability, discovered in versions prior to 6.9.4, significantly enhances an attacker's capability to conduct reconnaissance activities, as each request may trigger multiple outbound calls to various targets, amplifying the risk. Users are strongly advised to upgrade to version 6.9.4 or later to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

org.hl7.fhir.core < 6.9.4

References

https://github.com/hapifhir/org.hl7.fhir.core/security/ad...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 27, 2026

JSON

Hapifhir

What is CVE-2026-34360?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.