Server-Side Request Forgery in Medplum by Medplum
CVE-2026-49120

6.3MEDIUM

Key Information:

Vendor

Medplum

Status
Medplum
Vendor
CVE Published:
2 June 2026

What is CVE-2026-49120?

Medplum versions prior to 5.1.14 are susceptible to a server-side request forgery vulnerability through its subscription worker. Authenticated users can exploit this flaw by creating FHIR Subscription resources with arbitrary endpoint URLs, enabling them to direct subscription requests to internal services. This can lead to unauthorized access to sensitive data, including IAM credentials and patient health records, via the POST body containing complete FHIR resource payloads. Attackers may target cloud metadata services and internal databases, significantly compromising the security and integrity of the affected systems.

Affected Version(s)

medplum 0

References

https://github.com/medplum/medplum/releases/tag/v5.1.14
release-notes
https://github.com/medplum/medplum/pull/9334
issue-tracking
https://github.com/medplum/medplum/commit/87595e98d756d84...
patch

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Katriel Moses
VulnCheck
.