URL Prefix Matching Flaw in HAPI FHIR Leads to Data Exposure Risk
CVE-2026-34361
What is CVE-2026-34361?
HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare interoperability, has a significant security vulnerability prior to version 6.9.4. This flaw allows unauthenticated access to the '/loadIG' endpoint, which can be exploited by attackers to make outbound HTTP requests to URLs they control. The vulnerability is compounded by an issue in the credential provider's URL prefix matching, enabling attackers to capture sensitive authentication tokens—such as Bearer, Basic, and API keys—configured for legitimate FHIR servers. This risk arises when an attacker registers a domain that matches the prefix of a configured server URL, resulting in serious data exposure risks. The vulnerability has been addressed in version 6.9.4, and users are urged to update to this version promptly.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
org.hl7.fhir.core < 6.9.4