CVE-2026-34360

Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.9.4

Description The /loadIG API endpoint in the FHIR Validator HTTP service does not properly validate user-supplied URLs provided via a JSON body before making server-side HTTP requests. This allows an unauthenticated attacker with network access to probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. The explore=true setting, which is the default for this code path, amplifies reconnaissance capabilities by triggering multiple outbound HTTP calls for each request. The issue stems from a lack of validation in LoadIGHTTPHandler.handle(), loadIg(), and Common.isNetworkPath(), combined with a permissive configuration in ManagedWebAccess.inAllowedPaths(). Redirects are not re-validated against the allowed domains, potentially allowing bypasses. The server binds to all interfaces without authentication, and error messages propagate back to the attacker, revealing details about the network. This is a blind Server-Side Request Forgery (SSRF) issue, limiting impact to network probing and information leakage.

Recommendations Versions prior to 6.9.4: Add URL validation in LoadIGHTTPHandler before passing to loadIg(), rejecting private/internal IP ranges and non-standard ports. Versions prior to 6.9.4: Re-validate redirect targets in SimpleHTTPClient.get(), checking inAllowedPaths() for each redirect URL. Versions prior to 6.9.4: Configure allowedDomains by default to restrict outbound requests to known FHIR registries, or require explicit opt-in for open access. Versions prior to 6.9.4: Add authentication to the HTTP service, at minimum for state-changing endpoints like /loadIG.