CVE-2026-55471
Received Received - Intake

XXE via Unrestricted SAXON Transformer in HAPI FHIR

Vulnerability report for CVE-2026-55471, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET restrictions, allowing an attacker who controls or can tamper with transformed XML to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. This issue is fixed in version 6.9.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hl7 hapi_fhir 6.9.10

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in HAPI FHIR versions prior to 6.9.10 in the saxonTransform(...) methods of the org.hl7.fhir.utilities.XsltUtilities class. These methods instantiate a TransformerFactoryImpl without restricting ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET, which allows an attacker who can control or tamper with the transformed XML to perform XML External Entity (XXE) injection.

As a result, the attacker can cause local file disclosure or perform blind XXE or Server-Side Request Forgery (SSRF) attacks to arbitrary URLs accessible from the host running the software.

This issue is fixed in version 6.9.10 of HAPI FHIR.

Impact Analysis

The vulnerability can lead to serious security impacts including unauthorized disclosure of local files on the server, which may contain sensitive information.

Additionally, it enables blind XXE or SSRF attacks, allowing attackers to make arbitrary requests from the vulnerable host to internal or external systems, potentially leading to further exploitation or data exfiltration.

Since the vulnerability requires no privileges or user interaction, it can be exploited remotely and easily, increasing the risk.

Mitigation Strategies

To mitigate this vulnerability, upgrade HAPI FHIR to version 6.9.10 or later, where the issue has been fixed by restricting ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET in the TransformerFactoryImpl instantiation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart