SB2026050448 - Multiple vulnerabilities in FHIR

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34360)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in the /loadIG HTTP endpoint. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

2) Insufficiently protected credentials (CVE-ID: CVE-2026-34361)

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to insufficiently protected credentials in the /loadIG endpoint. A remote attacker can steal authentication tokens configured for legitimate FHIR servers.

3) Origin validation error (CVE-ID: CVE-2026-34359)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper URL prefix matching on HTTP redirect in HAPI FHIR core. A remote attacker can gain access to sensitive information on the system or modify data.

Remediation

Install update from vendor's website.

References

• https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h
• https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-vr79-8m62-wh98
• https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35