URL Prefix Matching Flaw in HAPI FHIR Leads to Data Exposure Risk
CVE-2026-34361

9.3CRITICAL

Key Information:

Vendor

Hapifhir

Vendor
CVE Published:
31 March 2026

What is CVE-2026-34361?

HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare interoperability, has a significant security vulnerability prior to version 6.9.4. This flaw allows unauthenticated access to the '/loadIG' endpoint, which can be exploited by attackers to make outbound HTTP requests to URLs they control. The vulnerability is compounded by an issue in the credential provider's URL prefix matching, enabling attackers to capture sensitive authentication tokens—such as Bearer, Basic, and API keys—configured for legitimate FHIR servers. This risk arises when an attacker registers a domain that matches the prefix of a configured server URL, resulting in serious data exposure risks. The vulnerability has been addressed in version 6.9.4, and users are urged to update to this version promptly.

Affected Version(s)

org.hl7.fhir.core < 6.9.4

References

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.