9 matches found
CVE-2026-34360
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname,...
CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...
CVE-2026-34361
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...
CVE-2026-34361
CVE-2026-34361 affects HAPI FHIR before 6.9.4. The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that can trigger outbound requests to attacker‑controlled URLs. A flawed startsWith() credential provider (ManagedWebAccessUtils.getServer()) and an SSRF-like flow allow an a...
CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...
CVE-2026-34360
HAPI FHIR (io.root.ca.uhn.hapi.fhir:org.hl7.fhir.core) before version 6.9.4 is vulnerable to an unauthenticated SSRF via the /loadIG endpoint in the FHIR Validator HTTP service. The endpoint accepts a user-supplied URL in JSON and makes server-side requests without strict host/domain validation, ...
CVE-2026-34360 HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname,...
PT-2026-29164
Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.9.4 Description The HAPI FHIR Validator HTTP service exposes an unauthenticated ''/loadIG'' endpoint that makes outbound HTTP requests to attacker-controlled URLs. This, combined with a startsWith URL prefix...
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft
The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith URL prefix matching flaw in the credential provider ManagedWebAccessUtils.getServer, an attacker can steal authentication tokens...