{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34359", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.368Z", "datePublished": "2026-03-31T16:56:01.235Z", "dateUpdated": "2026-03-31T19:09:08.160Z"}, "containers": {"cna": {"title": "HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35"}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"version": "< 6.9.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T16:56:01.235Z"}, "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4."}], "source": {"advisory": "GHSA-fgv2-4q4g-wc35", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:39:23.690008Z", "id": "CVE-2026-34359", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:08.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34359", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T18:39:23.690008Z"}}}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:04:39.513Z"}}], "cna": {"title": "HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core", "source": {"advisory": "GHSA-fgv2-4q4g-wc35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"status": "affected", "version": "< 6.9.4"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35", "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T16:56:01.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34359", "state": "PUBLISHED", "dateUpdated": "2026-03-31T19:09:08.160Z", "dateReserved": "2026-03-27T13:43:14.368Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T16:56:01.235Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "03C38881-A545-4EB5-BF3A-E15EF3D0F995", "versionEndExcluding": "6.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. This issue has been patched in version 6.9.4."}], "id": "CVE-2026-34359", "lastModified": "2026-04-03T13:34:11.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T17:16:31.937", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fgv2-4q4g-wc35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.4)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "org.hl7.fhir.core", "source": "cna", "vendor": "hapifhir"}, "product": "hl7_fhir_core", "vendor": "hapifhir"}], "analysis": {"en": {"generated_at": "2026-04-03T16:39:14.598646+00:00", "value": {"mitigation_remediation": ["Upgrade HAPI FHIR Core to version 6.9.4 or later."], "summary": {"action": "Patch", "impact": "Credential Leakage via Redirect"}, "threat_synthesis": {"affected_systems": "The issue affects installations of the HAPI FHIR Core library, specifically versions released prior to 6.9.4. Anyone using the original org.hl7.fhir.core package for healthcare interoperability in Java is vulnerable until the library is upgraded. The bug is tied to the ManagedWebAccessUtils.getServer() component, which was corrected in the 6.9.4 release.\n\n", "description_and_impact": "HAPI FHIR Core mishandles URL prefix matching when sending authentication credentials. The code compares configured server URLs using a simple string prefix test, ignoring trailing slashes or host boundaries. As a result, a domain that only shares a prefix\u2014such as http://tx.fhir.org.attacker.com\u2014can masquerade as the legitimate server. When a client follows an HTTP redirect to that domain, the server inadvertently dispatches Bearer tokens, Basic authentication credentials, or API keys intended for the real service. The improperly matched URL leads to exposure of sensitive authentication data, enabling attackers to impersonate users or access protected resources.\n\n", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.4, indicating high severity. EPSS scoring shows a probability of exploitation below 1\u202f%, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is remote, requiring an attacker to control or manipulate an arbitrary redirect target. A client that follows the HTTP redirect can capture the leaked credentials without needing local access. Given the low EPSS, widespread exploitation is unlikely, but highly motivated attackers or malicious intermediaries could deploy this technique, especially in environments that trust surfaces or that use the library without additional redirect validation.\n\n"}}}}, "created": "2026-03-31T19:53:54.041797+00:00", "updated": "2026-04-03T21:17:32.425871+00:00", "vendors": ["hapifhir", "hapifhir$PRODUCT$hl7_fhir_core"]}