URL Prefix Matching Flaw in HAPI FHIR Leads to Data Exposure Risk
CVE-2026-34361
What is CVE-2026-34361?
HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare interoperability, has a significant security vulnerability prior to version 6.9.4. This flaw allows unauthenticated access to the '/loadIG' endpoint, which can be exploited by attackers to make outbound HTTP requests to URLs they control. The vulnerability is compounded by an issue in the credential provider's URL prefix matching, enabling attackers to capture sensitive authentication tokens—such as Bearer, Basic, and API keys—configured for legitimate FHIR servers. This risk arises when an attacker registers a domain that matches the prefix of a configured server URL, resulting in serious data exposure risks. The vulnerability has been addressed in version 6.9.4, and users are urged to update to this version promptly.
Affected Version(s)
org.hl7.fhir.core < 6.9.4
