CVE-2026-34359CRITICAL 9.1EPSS p5.3%

CVE-2026-34359CVE-2026-34359

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.16% probability of exploitation · percentile 5.3% · 2026-06-19T12:03:05Z
Published2026-03-31
Last modified2026-04-03

Underlying weaknesses· 1

CWE-346

References

  1. https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35
  2. https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35

1

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34361
CVE
CVE-2026-46391
CVE
CVE-2026-11477
CVE
CVE-2026-41854
CVE
CVE-2026-34931
CVE
CVE-2026-49120
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.