cvedb.io
CVE-2026-34361
CRITICAL · CVSS 9.3
EPSS exploitation probability: 0%
Published 2026-03-31T17:16:32.923 · Last modified 2026-06-17T10:38:56.780

Summary

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.

Affected products

hapifhir — hl7_fhir_core

Does this affect you?

Add your gear to cvedb and we'll alert you only when hapifhir ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.