Cyber Resilience

CVE-2026-33180

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0024 15.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33180 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Redhat (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2026-33180 affects HAPI FHIR, a Java-based implementation of the HL7 FHIR standard for healthcare interoperability. In versions prior to 6.9.0, the library's internal HTTP client forwards all request headers—including those with privacy-sensitive information or data that could enable impersonation of the client—to the host specified in the Location header during 30X redirects. This violates expectations that headers remain confined to the initial target host, exposing sensitive data to unintended parties and mapping to CWE-200 (Exposure of Sensitive Information). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers can exploit this remotely without authentication or user interaction by controlling a server that issues a 30X redirect response, tricking the HAPI FHIR client into sending the full set of headers to the attacker's designated host. This enables unauthorized access to confidential header data, such as authentication tokens, session identifiers, or other client-specific details, potentially leading to privacy breaches or request impersonation in healthcare interoperability scenarios.

The GitHub security advisory (GHSA-p7m9-v2cm-2h7m) confirms the issue has been patched in HAPI FHIR version 6.9.0, urging users to upgrade immediately. No workarounds are available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL…

more

but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability leaks auth tokens/session IDs in headers to attacker-controlled host via malicious 30X redirect, directly enabling theft of application access tokens for subsequent impersonation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40895Shared CWE-200
CVE-2026-33745Shared CWE-200
CVE-2025-21620Shared CWE-200
CVE-2025-70963Shared CWE-200
CVE-2026-34969Shared CWE-200
CVE-2026-26069Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2026-36539Shared CWE-200
CVE-2024-34897Shared CWE-200
CVE-2024-13638Shared CWE-200

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the vulnerable HAPI FHIR versions prior to 6.9.0 to prevent header forwarding to unauthorized redirect hosts.

prevent

Requires filtering of outbound HTTP requests to remove or restrict sensitive headers, mitigating exposure even if redirects are followed.

detect

Enables monitoring of outbound communications traffic to identify disclosures of sensitive headers to unintended hosts during redirects.

References