{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33180", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.720Z", "datePublished": "2026-03-20T22:19:59.636Z", "dateUpdated": "2026-03-24T15:46:35.345Z"}, "containers": {"cna": {"title": "HAPI FHIR HTTP authentication leak in redirects", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m"}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"version": "< 6.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:19:59.636Z"}, "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available."}], "source": {"advisory": "GHSA-p7m9-v2cm-2h7m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:44:33.989435Z", "id": "CVE-2026-33180", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:46:35.345Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33180", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:44:33.989435Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:46:28.462Z"}}], "cna": {"title": "HAPI FHIR HTTP authentication leak in redirects", "source": {"advisory": "GHSA-p7m9-v2cm-2h7m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"status": "affected", "version": "< 6.9.0"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m", "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:19:59.636Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33180", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:46:35.345Z", "dateReserved": "2026-03-17T22:16:36.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:19:59.636Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available."}, {"lang": "es", "value": "HAPI FHIR es una implementaci\u00f3n completa del est\u00e1ndar HL7 FHIR para la interoperabilidad sanitaria en Java. Antes de la versi\u00f3n 6.9.0, al establecer encabezados en las solicitudes HTTP, el cliente HTTP interno env\u00eda los encabezados primero al host en la URL inicial, pero tambi\u00e9n, si se le pide que siga redireccionamientos y se devuelve un c\u00f3digo de respuesta HTTP 30X, al host mencionado en la URL en el valor del encabezado de respuesta Location:. Enviar el mismo conjunto de encabezados a hosts subsiguientes es un problema, ya que este encabezado a menudo contiene informaci\u00f3n sensible a la privacidad o datos que podr\u00edan permitir a otros suplantar la solicitud del cliente. Este problema ha sido parcheado en la versi\u00f3n 6.9.0. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-33180", "lastModified": "2026-04-28T21:13:28.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:45.020", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "HAPI FHIR: hapifhir/org.hl7.fhir.core: HAPI FHIR: Information disclosure and potential impersonation via HTTP redirects sending sensitive headers", "id": "2449841", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449841"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["A flaw was found in HAPI FHIR, a Java implementation of the HL7 FHIR standard. When the internal HTTP client follows redirects (HTTP 30X response codes), it can inadvertently send sensitive HTTP headers, such as authentication tokens, to unintended third-party hosts. This information disclosure could allow a remote attacker to gain unauthorized access or impersonate the client's requests, potentially compromising sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33180", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "ca.uhn.hapi.fhir-org.hl7.fhir.core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "org.hl7.fhir.convertors", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "org.hl7.fhir.validation", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "org.hl7.fhir.validation.cli", "product_name": "Red Hat Fuse 7"}], "public_date": "2026-03-20T22:19:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33180\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33180\nhttps://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "org.hl7.fhir.core", "source": "cna", "vendor": "hapifhir"}, "product": "hl7_fhir_core", "vendor": "hapifhir"}], "analysis": {"en": {"generated_at": "2026-03-23T13:53:50.605392+00:00", "value": {"mitigation_remediation": ["Update HAPI FHIR to version 6.9.0 or later"], "summary": {"action": "Immediate Patch", "impact": "Information Exposure via leaked authentication headers"}, "threat_synthesis": {"affected_systems": "The issue affects the HAPI FHIR library (org.hl7.fhir.core), specifically all versions prior to 6.9.0. Users running these earlier releases are exposed to the risk described.", "description_and_impact": "HAPI FHIR\u2019s internal HTTP client mistakenly forwards authentication or other sensitive headers to any hosts specified in a 30X Location header during redirects. This behavior can reveal credentials or other private data to an attacker who controls the redirect target, potentially allowing impersonation of legitimate client requests. The vulnerability is a classic information\u2011disclosure flaw identified by CWE\u2011200 and CWE\u2011201.", "risk_and_exploitability": "With a CVSS score of 7.5 and an EPSS score below 1%, the flaw carries a moderate\u2011high severity, although exploitation likelihood is relatively low due to the reliance on a redirect response. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker could exploit the weakness by provoking a redirect to a malicious server; because the attack requires only a standard HTTP request that triggers a redirect, it is considered externally exploitable."}}}}, "created": "2026-03-23T09:52:29.580161+00:00", "updated": "2026-03-25T14:34:23.368859+00:00", "vendors": ["hapifhir", "hapifhir$PRODUCT$hl7_fhir_core"]}