CVE-2026-34361
Published: 31 March 2026
Summary
CVE-2026-34361 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Hapifhir Hl7 Fhir Core. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific flaws in the unauthenticated /loadIG endpoint and the startsWith() URL prefix matching in ManagedWebAccessUtils.getServer() by applying vendor patches.
Enforces approved authorizations requiring authentication for sensitive endpoints like /loadIG to block unauthenticated access and exploitation.
Controls information flows by restricting outbound HTTP requests from the FHIR Validator service to only organization-approved trusted URLs, preventing fetches to attacker-controlled domains.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated public endpoint enables T1190 Exploit Public-Facing Application; flawed credential matching in outbound requests directly facilitates T1528 Steal Application Access Token by leaking Bearer tokens/API keys.
NVD Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with…
more
a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. This issue has been patched in version 6.9.4.
Deeper analysisAI
CVE-2026-34361 is a high-severity vulnerability in HAPI FHIR, a Java-based implementation of the HL7 FHIR standard for healthcare interoperability. Versions prior to 6.9.4 expose an unauthenticated "/loadIG" endpoint in the FHIR Validator HTTP service, which makes outbound HTTP requests to attacker-controlled URLs. This issue is compounded by a flaw in the credential provider function ManagedWebAccessUtils.getServer(), which performs insecure startsWith() URL prefix matching, allowing attackers to steal authentication tokens such as Bearer tokens, Basic auth credentials, or API keys configured for legitimate FHIR servers. The vulnerability is rated 9.3 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and maps to CWE-552 (Files or Directories Accessible to External Parties).
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By registering a malicious domain that prefix-matches a target organization's configured FHIR server URL, the attacker tricks the "/loadIG" endpoint into fetching resources from their server. During this process, the flawed credential matching logic applies and leaks valid authentication tokens intended for authorized FHIR servers, potentially enabling further unauthorized access to sensitive healthcare data.
The vulnerability has been patched in HAPI FHIR version 6.9.4. Additional mitigation details and technical analysis are available in the GitHub security advisory at https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-vr79-8m62-wh98.
Details
- CWE(s)