CVE-2026-45367
Awaiting Analysis Awaiting Analysis - Queue

HAPI FHIR Regex Catastrophic Backtracking DoS

Vulnerability report for CVE-2026-45367, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches(), matchesFull(), and replaceMatches() to Java regex operations without effective timeouts, allowing catastrophic backtracking and denial of service. This issue is fixed in version 6.9.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
hapifhir org.hl7.fhir.core From 6.9.7 (inc)
hapi_fhir hapi_fhir to 6.9.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45367 is a ReDoS (Regular Expression Denial of Service) vulnerability in HAPI FHIR, a Java implementation of the HL7 FHIR standard. It affects the FHIRPathEngine's matches(), matchesFull(), and replaceMatches() functions which process user-controlled regular expressions without timeouts. Attackers can exploit this by crafting malicious regex patterns that cause catastrophic backtracking, leading to excessive CPU usage and system unavailability.

Detection Guidance

Detecting this vulnerability requires checking the HAPI FHIR version in use. If your system runs versions prior to 6.9.7, it is vulnerable. Use commands like 'find . -name "hapi-fhir*.jar"' to locate the library and 'java -jar hapi-fhir*.jar --version' to check the version. Monitor CPU usage spikes during FHIRPath operations as high CPU could indicate ongoing ReDoS attacks.

Impact Analysis

This vulnerability allows attackers to cause denial of service by consuming excessive CPU resources through specially crafted regular expressions. Systems using affected versions of HAPI FHIR may experience slowdowns, unresponsiveness, or crashes when processing FHIRPath expressions with user-controlled regex patterns.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by enabling denial-of-service attacks through excessive CPU resource consumption. GDPR requires data protection measures to ensure availability and integrity of personal data, while HIPAA mandates safeguards against disruptions to healthcare systems. The DoS risk from catastrophic backtracking may violate these requirements by degrading system performance or causing outages.

Mitigation Strategies

Upgrade HAPI FHIR to version 6.9.7 or later immediately. This version includes timeout mechanisms for regex operations. If upgrading is not possible, restrict network access to FHIR endpoints and implement rate limiting to reduce attack surface. Monitor system logs for unusual regex-related errors or timeouts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45367. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart