Vulnerability Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hapifhir | Hl7 Fhir Core | < 6.9.4 |
Related Weaknesses (CWE)
References
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56ExploitVendor Advisory
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56ExploitVendor Advisory
FAQ
What is CVE-2026-34360?
CVE-2026-34360 is a vulnerability with a CVSS score of 5.8 (MEDIUM). HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a ...
How severe is CVE-2026-34360?
CVE-2026-34360 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34360?
Check the references section above for vendor advisories and patch information. Affected products include: Hapifhir Hl7 Fhir Core.