Regex Backtracking Flaw in HAPI FHIR Implementation from HAPI FHIR
CVE-2026-55470

7.5HIGH

Key Information:

Vendor

Hapifhir

Vendor
CVE Published:
8 July 2026

What is CVE-2026-55470?

An unauthenticated attacker can exploit a regex backtracking flaw in the HAPI FHIR library in versions prior to 6.9.10. The flaw allows attackers to trigger excessive CPU usage through the FHIRPathEngine.matches() function in the DSTU2 module, jeopardizing server performance. The vulnerability was previously addressed in a partial fix for CVE-2026-45367, but the raw String.matches() method lacks RegexTimeout protection, amplifying the risk. Users are advised to upgrade to version 6.9.10 or later to mitigate this issue.

Affected Version(s)

org.hl7.fhir.core < 6.9.10

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.