HAPI FHIR is a widely used Java implementation of the HL7 FHIR standard for healthcare interoperability. The vulnerability CVE-2026-34360 is a Server-Side Request Forgery (SSRF) flaw identified in versions of the org.hl7.fhir.core library prior to 6.9.4. Specifically, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a URL parameter via a JSON payload and performs server-side HTTP requests to that URL without validating the hostname, scheme, or domain. This lack of validation allows an unauthenticated attacker with network access to the validator service to supply arbitrary URLs, causing the server to make requests to internal network resources or cloud metadata endpoints that are normally inaccessible externally. The default parameter explore=true triggers multiple outbound HTTP requests per single attacker request, amplifying the reconnaissance capabilities. Through this, attackers can probe internal services, enumerate network topology, and extract sensitive information via error messages or response content. The vulnerability does not require authentication or user interaction, increasing its risk. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to internal network confidentiality. The issue was addressed and patched in version 6.9.4 of the HAPI FHIR library.

This SSRF vulnerability enables unauthenticated attackers to perform internal network reconnaissance and potentially access sensitive internal services that are not exposed externally. For healthcare organizations using HAPI FHIR, this could lead to exposure of internal infrastructure details, cloud metadata services (which may contain credentials or tokens), and other protected resources. While the vulnerability itself does not directly allow data modification or denial of service, the information gathered can facilitate further attacks such as lateral movement, privilege escalation, or targeted exploitation of internal services. Given the critical nature of healthcare data and infrastructure, unauthorized internal network mapping can increase the risk of data breaches and operational disruption. The amplification effect due to multiple outbound calls per request can also increase the load on internal services, potentially impacting availability indirectly. Organizations worldwide that deploy vulnerable versions of HAPI FHIR in their healthcare interoperability stacks are at risk, especially those with complex internal networks or cloud environments.

The primary mitigation is to upgrade HAPI FHIR to version 6.9.4 or later, where this SSRF vulnerability has been patched. Until upgrading is possible, organizations should implement network-level controls to restrict outbound HTTP requests from the FHIR Validator service to only trusted destinations, using egress filtering or firewall rules. Additionally, deploying web application firewalls (WAFs) with SSRF detection rules can help detect and block malicious requests targeting the /loadIG endpoint. Monitoring and logging outbound HTTP requests from the validator service can aid in identifying suspicious activity. If feasible, disable or restrict the /loadIG endpoint or the explore=true functionality to reduce the attack surface. Finally, conduct internal network segmentation to limit the exposure of sensitive internal services and cloud metadata endpoints to the validator host.