{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34360", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.368Z", "datePublished": "2026-03-31T16:56:05.034Z", "dateUpdated": "2026-04-01T13:58:24.359Z"}, "containers": {"cna": {"title": "HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h"}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"version": "< 6.9.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T16:56:05.034Z"}, "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4."}], "source": {"advisory": "GHSA-3ww8-jw56-9f5h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:58:21.003935Z", "id": "CVE-2026-34360", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:58:24.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34360", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:58:21.003935Z"}}}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:58:14.891Z"}}], "cna": {"title": "HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing", "source": {"advisory": "GHSA-3ww8-jw56-9f5h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"status": "affected", "version": "< 6.9.4"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h", "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T16:56:05.034Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34360", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:58:24.359Z", "dateReserved": "2026-03-27T13:43:14.368Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T16:56:05.034Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "03C38881-A545-4EB5-BF3A-E15EF3D0F995", "versionEndExcluding": "6.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4."}], "id": "CVE-2026-34360", "lastModified": "2026-04-03T13:15:19.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T17:16:32.767", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.4)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "org.hl7.fhir.core", "source": "cna", "vendor": "hapifhir"}, "product": "hl7_fhir_core", "vendor": "hapifhir"}], "analysis": {"en": {"generated_at": "2026-04-03T16:38:47.989225+00:00", "value": {"mitigation_remediation": ["Apply HAPI FHIR patch to version 6.9.4 or later.", "Restrict the /loadIG endpoint to authenticated users or block outbound HTTP requests from the FHIR Validator service."], "summary": {"action": "Immediate Patch", "impact": "Internal Network Discovery via Blind SSRF"}, "threat_synthesis": {"affected_systems": "The flaw exists in the HAPI FHIR library from hapifhir:org.hl7.fhir.core prior to version 6.9.4. Only deployments that expose the /loadIG endpoint of the FHIR Validator HTTP service are affected without the patch. Systems running 6.9.4 or later are not vulnerable. No other vendors or versions are listed in the CVE record.", "description_and_impact": "This vulnerability allows an unauthenticated user to send a crafted JSON body to the /loadIG endpoint of the HAPI FHIR Validator HTTP service. Because the service does not validate the hostname, scheme, or domain of the supplied URL, it performs server\u2011side HTTP requests to that address. The response errors reveal internal host names or IPs, enabling a remote attacker to probe internal network services, cloud metadata endpoints, and map the topology. The lack of authentication and unchecked outbound traffic makes it a blind SSRF that can be used for reconnaissance rather than direct exploitation.", "risk_and_exploitability": "The CVSS score of 5.8 indicates moderate severity; the EPSS score below 1% implies a low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, because the endpoint is reachable over the network and requires no authentication, an unauthenticated attacker can carry out reconnaissance with minimal effort. The primary impact is internal network discovery, which could be a stepping stone to more serious attacks."}}}}, "created": "2026-03-31T19:53:52.865467+00:00", "updated": "2026-04-03T21:17:31.496576+00:00", "vendors": ["hapifhir", "hapifhir$PRODUCT$hl7_fhir_core"]}