Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.
Published: 2026-03-31
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: Unauthorized credential disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in HAPI FHIR occurs when the system matches request URLs with String.startsWith() without enforcing a trailing slash or host boundary. An attacker can craft a domain that shares the same prefix as a legitimate server URL, such as http://tx.fhir.org.attacker.com. When the client's HTTP redirect follows this forged domain, the server unknowingly dispatches authentication credentials, including Bearer tokens, Basic auth credentials, or API keys. This produces a direct disclosure of sensitive credentials to an adversary, compromising confidentiality and potentially enabling further unauthorized access. The flaw corresponds to the CWE-346 weakness: Unvalidated Redirects and Insufficient Transport Layer Protection.

Affected Systems

The affected product is HAPI FHIR Core (org.hl7.fhir.core). All installations using a version prior to 6.9.4 are susceptible, as that release contains the bug in ManagedWebAccessUtils.getServer(). Users employing newer releases, starting with 6.9.4, receive the fixed implementation.

Risk and Exploitability

The CVSS base score of 7.4 classifies this as a high risk vulnerability, and while EPSS data is not available, the exposure of authentication tokens suggests the likelihood of exploitation is significant if an attacker can influence the redirect behavior. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to poison a redirect or supply a forged URL that matches the server prefix, a scenario that is feasible in environments where external redirect targets are not tightly controlled.

Generated by OpenCVE AI on March 31, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAPI FHIR Core to version 6.9.4 or later.
  • Verify that all redirection URLs include proper trailing slashes and fully qualified domains to prevent prefix matching.
  • Review and restrict which external domains can be used as redirect targets in the application.
  • Monitor logs for unexpected credential leaks and investigate any suspicious authentication activity.

Generated by OpenCVE AI on March 31, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fgv2-4q4g-wc35 HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Hapifhir
Hapifhir hl7 Fhir Core
Vendors & Products Hapifhir
Hapifhir hl7 Fhir Core

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.
Title HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Hapifhir Hl7 Fhir Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:08.160Z

Reserved: 2026-03-27T13:43:14.368Z

Link: CVE-2026-34359

cve-icon Vulnrichment

Updated: 2026-03-31T19:04:39.513Z

cve-icon NVD

Status : Received

Published: 2026-03-31T17:16:31.937

Modified: 2026-03-31T20:16:29.183

Link: CVE-2026-34359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:51Z

Weaknesses