CVE-2026-34359

Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.9.4

Description The software uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Configured server URLs lack a trailing slash or host boundary check, allowing an attacker-controlled domain to match the prefix and receive authentication credentials, such as Bearer tokens, Basic auth credentials, or API keys, when the HTTP client follows a redirect to that domain. The issue stems from the ManagedWebAccessUtils.getServer() function, specifically at org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedWebAccessUtils.java:26. The vulnerability exists in the FhirSettingsPOJO.java:19 configuration, where the production terminology server URL is defined without a trailing slash. This allows an attacker to exploit the issue through redirect paths via SimpleHTTPClient or ManagedFhirWebAccessor, potentially leading to credential theft and impersonation. The same vulnerable pattern also exists in ManagedWebAccess.isLocal(), potentially enabling TLS downgrade for attacker-controlled domains.

Recommendations Versions prior to 6.9.4: Replace the startsWith() check in ManagedWebAccessUtils.getServer() with proper URL host boundary validation. Apply the same fix to ManagedWebAccess.isLocal() and the three-argument getServer() overload.