CVE-2026-55470
Received Received - Intake

FHIRPathEngine Regex Backtracking in HAPI FHIR

Vulnerability report for CVE-2026-55470, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches() in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matches(sw) without RegexTimeout protection while replaceMatches() was updated, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU. This issue is fixed in version 6.9.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hapifhir hapi_fhir to 6.9.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade HAPI FHIR to version 6.9.10 or later, where the issue has been fixed.

Executive Summary

This vulnerability exists in HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare interoperability. Before version 6.9.10, a previous fix for another vulnerability (CVE-2026-45367) did not fully patch the DSTU2 module. Specifically, the method FHIRPathEngine.matches() called the raw String.matches(sw) function without protection against regex timeout, while a related method replaceMatches() was updated. This flaw allows an unauthenticated attacker to exploit catastrophic regex backtracking, which can exhaust the server's CPU resources.

Impact Analysis

The vulnerability can be exploited by an unauthenticated attacker to cause catastrophic regex backtracking, leading to excessive CPU consumption on the server running HAPI FHIR. This results in a denial of service (DoS) condition, where legitimate users may experience degraded performance or unavailability of the affected service.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55470. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart