CVE-2026-34361

Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.9.4

Description The HAPI FHIR Validator HTTP service exposes an unauthenticated ''/loadIG'' endpoint that makes outbound HTTP requests to attacker-controlled URLs. This, combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), allows an attacker to steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL. The issue involves a Server-Side Request Forgery (SSRF) vulnerability. The LoadIGHTTPHandler.java component accepts unauthenticated POST requests to the ''/loadIG'' endpoint, and the IgLoader.loadIg() function processes the request without URL validation. The ManagedWebAccess component uses the flawed startsWith() logic to determine whether to include credentials in outbound requests. The SimpleHTTPClient component follows redirects, potentially amplifying the credential leakage. An attacker can exploit this by setting up a credential capture server and triggering the SSRF with a prefix-matching URL or a redirect. This could lead to credential theft, supply chain attacks, and data breaches.

Recommendations Update to version 6.9.4 or later. Implement proper URL origin comparison in ManagedWebAccessUtils. Implement URL allowlisting in LoadIGHTTPHandler.