CVE-2026-33180
HTTP Header Exposure via Redirects in HAPI FHIR Before
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hapi_fhir | hapi_fhir | to 6.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in HAPI FHIR occurs when its internal HTTP client sends HTTP headers containing potentially sensitive information to multiple hosts during HTTP redirects. Specifically, before version 6.9.0, when following a 30X redirect response, the client sends the same headers not only to the original host but also to the host specified in the Location header of the redirect response. This can expose privacy-sensitive data or information that could allow others to impersonate the client's request.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended disclosure of privacy-sensitive information or authentication data to unintended hosts during HTTP redirects. As a result, attackers or unauthorized parties could intercept this information and potentially impersonate the client, leading to privacy breaches or unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade HAPI FHIR to version 6.9.0 or later, where the issue has been patched.
No known workarounds are available, so applying the update is the recommended immediate step.