Denial of Service Vulnerability in HAPI FHIR Product by HAPI FHIR
CVE-2026-49485

7.5HIGH

Key Information:

Vendor

Hapifhir

Vendor
CVE Published:
17 July 2026

What is CVE-2026-49485?

The HAPI FHIR framework, which implements the HL7 FHIR standard for healthcare interoperability, is susceptible to a denial of service vulnerability due to inadequate input validation. This vulnerability arises from the FHIRPathEngine's acceptance of arbitrary FHIRPath expressions. Functions such as matches(), matchesFull(), and replaceMatches() process user-supplied regex patterns without strict validation, leading to potential CPU exhaustion caused by catastrophic backtracking. Attackers can exploit this flaw by sending crafted requests to the FHIR Validator HTTP endpoint, disrupting service availability. The issue has been addressed in versions 6.9.9 and 6.9.4.2.

Affected Version(s)

org.hl7.fhir.core < 6.9.4.2 < 6.9.4.2

org.hl7.fhir.core >= 6.9.5, < 6.9.9 < 6.9.5, 6.9.9

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.