Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential Theft via SSRF
Action: Patch
AI Analysis

Impact

An unauthenticated "/loadIG" endpoint in HAPI FHIR allows external callers to trigger outbound HTTP requests to arbitrary URLs, creating a server‑side request forgery condition. A separate startsWith() flaw in the credential provider permits an attacker to register a domain that matches a prefix of a legitimate FHIR server URL, enabling capture of any authentication tokens (Bearer, Basic, API keys) stored for that server. The combination of these flaws permits an attacker to steal sensitive credentials, potentially giving them full control over the affected FHIR instance. This weakness is classified as CWE‑552, reflecting the excessive exposure of sensitive data.

Affected Systems

The problem exists in the HAPI FHIR implementation (org.hl7.fhir.core) and affects all versions released before 6.9.4. Any deployment that exposes the FHIR Validator HTTP service with the "/loadIG" endpoint is vulnerable, regardless of the underlying operating system or network configuration.

Risk and Exploitability

The CVSS base score of 9.3 classifies the vulnerability as critical, while the EPSS score of less than 1% indicates that widespread exploitation is currently low. The issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires network access to the FHIR Validator and does not need any prior authentication; an attacker can craft a request to the vulnerable endpoint and register a malicious domain to siphon credentials. The flaw is highly actionable and carries the potential for significant credential compromise.

Generated by OpenCVE AI on April 3, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAPI FHIR to version 6.9.4 or newer
  • If an immediate upgrade is not possible, limit network exposure to the FHIR Validator and disable the "/loadIG" endpoint if the configuration permits

Generated by OpenCVE AI on April 3, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vr79-8m62-wh98 FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Hapifhir
Hapifhir hl7 Fhir Core
Vendors & Products Hapifhir
Hapifhir hl7 Fhir Core

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.
Title HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Hapifhir Hl7 Fhir Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:24:58.558Z

Reserved: 2026-03-27T13:43:14.368Z

Link: CVE-2026-34361

cve-icon Vulnrichment

Updated: 2026-03-31T17:24:55.698Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T17:16:32.923

Modified: 2026-04-03T12:56:06.837

Link: CVE-2026-34361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:30Z

Weaknesses