CVE-2026-34359
Published: 31 March 2026
Summary
CVE-2026-34359 is a high-severity Origin Validation Error (CWE-346) vulnerability in Hapifhir Hl7 Fhir Core. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Proper information input validation of request URLs with host boundary and trailing slash checks prevents prefix-based mismatches that dispatch credentials to attacker-controlled domains.
Enforces information flow control policies restricting authentication credential dispatch to exactly configured server URLs, blocking flows to deceptive prefix-matching domains.
Ensures access enforcement mechanisms correctly authorize credential dispatch only to validated server identities, mitigating flawed URL prefix matching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's flawed URL prefix matching (startsWith without boundary checks) directly enables an attacker to receive dispatched authentication credentials including Bearer tokens and API keys when a client follows a redirect to an attacker-controlled domain, facilitating T1528 Steal Application Access Token.
NVD Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g.,…
more
http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.
Deeper analysisAI
CVE-2026-34359 is a vulnerability in HAPI FHIR, a complete Java implementation of the HL7 FHIR standard for healthcare interoperability. In versions prior to 6.9.4, the ManagedWebAccessUtils.getServer() function uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. This approach lacks trailing slash or host boundary checks, allowing prefix-based mismatches such as an attacker-controlled domain like http://tx.fhir.org.attacker.com to match a legitimate configured URL like http://tx.fhir.org. The vulnerability is rated 7.4 on the CVSS v3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-346.
A remote attacker without privileges can exploit this by registering a domain that prefixes a configured server URL. When an HTTP client follows a redirect to the attacker's domain, the flawed matching causes the dispatch of sensitive authentication credentials, including Bearer tokens, Basic auth credentials, or API keys, to the attacker-controlled endpoint. Exploitation requires high attack complexity, typically involving control over redirects or user interaction to trigger the client-side request.
The vulnerability has been patched in HAPI FHIR version 6.9.4. Additional details are available in the GitHub security advisory at https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35.
Details
- CWE(s)