Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4.
Published: 2026-03-31
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: Blind Server‑Side Request Forgery enabling internal network reconnaissance
Action: Immediate Patch
AI Analysis

Impact

The HAPI FHIR Validator HTTP service contains a blind Server‑Side Request Forgery flaw in the /loadIG endpoint that accepts a user supplied URL without validating the hostname, scheme, or domain. Because the endpoint is unauthenticated, an attacker who can reach the validator can supply arbitrary internal URLs. The response leaks hidden error information and, when the explore parameter remains true, the code triggers multiple outbound calls, amplifying the amount of information returned.

Affected Systems

HAPI FHIR, the open‑source HL7 FHIR implementation in Java, is affected. All releases prior to version 6.9.4 of the org.hl7.fhir.core component are vulnerable. The flaw is present in the FHIR Validator HTTP service that includes the /loadIG endpoint.

Risk and Exploitability

The CVSS v3 score of 5.8 indicates medium severity. EPSS data is not available, and it is not listed in the CISA KEV catalog, but the flaw is exploitable over the network by any unauthenticated user with access to the validator service. Because the vulnerability requires only network connectivity and a crafted JSON request, an attacker can map internal services, probe cloud metadata endpoints, or discover hostnames through error‑based information leakage. The lack of authentication, combined with the server‑initiated outbound requests, makes this a valuable reconnaissance vector for attackers building an internal foothold.

Generated by OpenCVE AI on March 31, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to upgrade HAPI FHIR to version 6.9.4 or newer.
  • Ensure that the /loadIG endpoint is disabled or protected behind authentication if the service is publicly exposed.

Generated by OpenCVE AI on March 31, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3ww8-jw56-9f5h FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Hapifhir
Hapifhir hl7 Fhir Core
Vendors & Products Hapifhir
Hapifhir hl7 Fhir Core

Tue, 31 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4.
Title HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Hapifhir Hl7 Fhir Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T16:56:05.034Z

Reserved: 2026-03-27T13:43:14.368Z

Link: CVE-2026-34360

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T17:16:32.767

Modified: 2026-03-31T17:16:32.767

Link: CVE-2026-34360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:50Z

Weaknesses