CVE-2026-33180

Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.9.0

Description HAPI FHIR, a Java implementation of the HL7 FHIR standard, is affected by an issue where HTTP headers, potentially containing privacy-sensitive information, are sent to both the initial host and any subsequent hosts encountered during HTTP redirects. This occurs when the internal HTTP client follows redirects (30X HTTP response codes) and transmits the same headers to the host specified in the Location response header. This could allow for impersonation of the client's request.

Recommendations Update to HAPI FHIR version 6.9.0 or later.