HAPI FHIR Core mishandles URL prefix matching when sending authentication credentials. The code compares configured server URLs using a simple string prefix test, ignoring trailing slashes or host boundaries. As a result, a domain that only shares a prefix—such as http://tx.fhir.org.attacker.com—can masquerade as the legitimate server. When a client follows an HTTP redirect to that domain, the server inadvertently dispatches Bearer tokens, Basic authentication credentials, or API keys intended for the real service. The improperly matched URL leads to exposure of sensitive authentication data, enabling attackers to impersonate users or access protected resources.

The issue affects installations of the HAPI FHIR Core library, specifically versions released prior to 6.9.4. Anyone using the original org.hl7.fhir.core package for healthcare interoperability in Java is vulnerable until the library is upgraded. The bug is tied to the ManagedWebAccessUtils.getServer() component, which was corrected in the 6.9.4 release.

The vulnerability carries a CVSS score of 7.4, indicating high severity. EPSS scoring shows a probability of exploitation below 1 %, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is remote, requiring an attacker to control or manipulate an arbitrary redirect target. A client that follows the HTTP redirect can capture the leaked credentials without needing local access. Given the low EPSS, widespread exploitation is unlikely, but highly motivated attackers or malicious intermediaries could deploy this technique, especially in environments that trust surfaces or that use the library without additional redirect validation.