Cyber Resilience

CVE-2026-34359

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0016 5.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34359 is a high-severity Origin Validation Error (CWE-346) vulnerability in Hapifhir Hl7 Fhir Core. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-34359 is a vulnerability in HAPI FHIR, a complete Java implementation of the HL7 FHIR standard for healthcare interoperability. In versions prior to 6.9.4, the ManagedWebAccessUtils.getServer() function uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. This approach lacks trailing slash or host boundary checks, allowing prefix-based mismatches such as an attacker-controlled domain like http://tx.fhir.org.attacker.com to match a legitimate configured URL like http://tx.fhir.org. The vulnerability is rated 7.4 on the CVSS v3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-346.

A remote attacker without privileges can exploit this by registering a domain that prefixes a configured server URL. When an HTTP client follows a redirect to the attacker's domain, the flawed matching causes the dispatch of sensitive authentication credentials, including Bearer tokens, Basic auth credentials, or API keys, to the attacker-controlled endpoint. Exploitation requires high attack complexity, typically involving control over redirects or user interaction to trigger the client-side request.

The vulnerability has been patched in HAPI FHIR version 6.9.4. Additional details are available in the GitHub security advisory at https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g.,…

more

http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

The vulnerability's flawed URL prefix matching (startsWith without boundary checks) directly enables an attacker to receive dispatched authentication credentials including Bearer tokens and API keys when a client follows a redirect to an attacker-controlled domain, facilitating T1528 Steal Application Access Token.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34361Same product: Hapifhir Hl7 Fhir Core
CVE-2025-7659Shared CWE-346
CVE-2026-44184Shared CWE-346
CVE-2026-27192Shared CWE-346
CVE-2026-8950Shared CWE-346
CVE-2026-32303Shared CWE-346
CVE-2026-34927Shared CWE-346
CVE-2022-50925Shared CWE-346
CVE-2025-71217Shared CWE-346
CVE-2026-34929Shared CWE-346

Affected Assets

hapifhir
hl7 fhir core
≤ 6.9.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Proper information input validation of request URLs with host boundary and trailing slash checks prevents prefix-based mismatches that dispatch credentials to attacker-controlled domains.

prevent

Enforces information flow control policies restricting authentication credential dispatch to exactly configured server URLs, blocking flows to deceptive prefix-matching domains.

prevent

Ensures access enforcement mechanisms correctly authorize credential dispatch only to validated server identities, mitigating flawed URL prefix matching.

References