CVE-2026-33180
Published: 20 March 2026
Summary
CVE-2026-33180 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AU-13 (Monitoring for Information Disclosure).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the vulnerable HAPI FHIR versions prior to 6.9.0 to prevent header forwarding to unauthorized redirect hosts.
Requires filtering of outbound HTTP requests to remove or restrict sensitive headers, mitigating exposure even if redirects are followed.
Enables monitoring of outbound communications traffic to identify disclosures of sensitive headers to unintended hosts during redirects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability leaks auth tokens/session IDs in headers to attacker-controlled host via malicious 30X redirect, directly enabling theft of application access tokens for subsequent impersonation.
NVD Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL…
more
but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available.
Deeper analysisAI
CVE-2026-33180 affects HAPI FHIR, a Java-based implementation of the HL7 FHIR standard for healthcare interoperability. In versions prior to 6.9.0, the library's internal HTTP client forwards all request headers—including those with privacy-sensitive information or data that could enable impersonation of the client—to the host specified in the Location header during 30X redirects. This violates expectations that headers remain confined to the initial target host, exposing sensitive data to unintended parties and mapping to CWE-200 (Exposure of Sensitive Information). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Attackers can exploit this remotely without authentication or user interaction by controlling a server that issues a 30X redirect response, tricking the HAPI FHIR client into sending the full set of headers to the attacker's designated host. This enables unauthorized access to confidential header data, such as authentication tokens, session identifiers, or other client-specific details, potentially leading to privacy breaches or request impersonation in healthcare interoperability scenarios.
The GitHub security advisory (GHSA-p7m9-v2cm-2h7m) confirms the issue has been patched in HAPI FHIR version 6.9.0, urging users to upgrade immediately. No workarounds are available.
Details
- CWE(s)