CVE-2026-49120
Server-Side Request Forgery in Medplum Prior to 5.1.14
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| medplum | medplum | to 5.1.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to exfiltrate sensitive data such as IAM credentials and patient health records by exploiting unauthorized internal network requests via FHIR Subscription endpoints.
Exfiltration of patient health records can lead to violations of data protection regulations like HIPAA, which mandates the protection of health information, and GDPR, which requires safeguarding personal data and reporting breaches.
Therefore, this vulnerability poses a risk to compliance with these standards by potentially exposing protected health information and sensitive credentials.
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) issue in Medplum versions before 5.1.14. It occurs in the subscription worker component, where authenticated users can create FHIR Subscription resources with arbitrary endpoint URLs.
By exploiting this flaw, attackers can make unauthorized internal network requests to sensitive internal services such as cloud instance metadata services, internal databases, or container orchestration endpoints.
These requests include POST bodies containing full FHIR resource payloads, which can be used to exfiltrate sensitive information like IAM credentials and patient health records.
How can this vulnerability impact me? :
The impact of this vulnerability includes unauthorized access to internal network resources by authenticated users, which can lead to the exfiltration of sensitive data.
- Exposure of IAM credentials, potentially allowing attackers to escalate privileges or access other systems.
- Leakage of patient health records, compromising patient privacy and confidentiality.
- Potential access to internal cloud metadata services or container orchestration endpoints, which could further compromise the infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves authenticated users creating FHIR Subscription resources with arbitrary endpoint URLs that can cause unauthorized internal network requests. Detection can focus on monitoring for unusual or unauthorized creation of FHIR Subscription resources, especially those with endpoints pointing to internal addresses such as cloud metadata services, internal databases, or container orchestration endpoints.
Network detection can include monitoring outbound POST requests from the Medplum server to internal IP ranges or unusual URLs that are not part of normal operations.
- Use API audit logs or database queries to identify creation or modification of FHIR Subscription resources with suspicious endpoint URLs.
- Monitor network traffic for POST requests from the Medplum server to internal IP addresses or metadata service endpoints.
- Example command to search logs for suspicious subscription endpoints (assuming logs contain JSON entries): `grep -i 'Subscription' /var/log/medplum.log | grep -E 'http://|https?://(169.254.169.254|127.0.0.1|localhost|10\.|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168\.)'`
- Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP POST requests from the Medplum server and filter for internal IP ranges: `tcpdump -i eth0 tcp dst port 80 and src host <medplum-server-ip>`
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Medplum to version 5.1.14 or later, where the vulnerability is fixed by requiring HTTPS for rest-hook Subscription URLs by default.
If upgrading immediately is not possible, configure the system to reject HTTP endpoints for FHIR Subscription resources to prevent SSRF attacks.
- Upgrade Medplum to version 5.1.14 or later.
- Ensure that the configuration option `allowInsecureRestHookUrl` is disabled or set to false to block insecure HTTP URLs.
- Validate and audit existing FHIR Subscription resources to remove or update any with insecure or suspicious endpoint URLs.
- Implement network-level controls to restrict the Medplum server from making unauthorized internal network requests.