CVE-2026-34360: CWE-918: Server-Side Request Forgery (SSRF) in hapifhir org.hl7.fhir.core
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4.
AI Analysis
Technical Summary
The vulnerability CVE-2026-34360 affects HAPI FHIR's org.hl7.fhir.core component in versions before 6.9.4. The /loadIG HTTP endpoint in the FHIR Validator service accepts a URL from the user and performs server-side HTTP requests without validating the URL's hostname, scheme, or domain. This lack of validation allows unauthenticated attackers with network access to perform SSRF attacks, enabling them to scan internal networks and cloud metadata services, potentially revealing sensitive information. The default parameter explore=true causes multiple outbound HTTP calls per request, amplifying the reconnaissance capability. The issue has been addressed in version 6.9.4.
Potential Impact
An unauthenticated attacker with network access to the vulnerable FHIR Validator service can exploit this SSRF vulnerability to perform internal network reconnaissance, including accessing cloud metadata endpoints and mapping network topology. This may lead to information disclosure of internal infrastructure details. The CVSS score is 5.8 (medium severity), reflecting limited confidentiality impact without direct integrity or availability effects.
Mitigation Recommendations
This vulnerability is patched in HAPI FHIR version 6.9.4. Users should upgrade to version 6.9.4 or later to remediate the issue. Since this is not a cloud service, remediation depends on applying the official fix. Until upgraded, restrict network access to the FHIR Validator HTTP service to trusted users only.
CVE-2026-34360: CWE-918: Server-Side Request Forgery (SSRF) in hapifhir org.hl7.fhir.core
Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-34360 affects HAPI FHIR's org.hl7.fhir.core component in versions before 6.9.4. The /loadIG HTTP endpoint in the FHIR Validator service accepts a URL from the user and performs server-side HTTP requests without validating the URL's hostname, scheme, or domain. This lack of validation allows unauthenticated attackers with network access to perform SSRF attacks, enabling them to scan internal networks and cloud metadata services, potentially revealing sensitive information. The default parameter explore=true causes multiple outbound HTTP calls per request, amplifying the reconnaissance capability. The issue has been addressed in version 6.9.4.
Potential Impact
An unauthenticated attacker with network access to the vulnerable FHIR Validator service can exploit this SSRF vulnerability to perform internal network reconnaissance, including accessing cloud metadata endpoints and mapping network topology. This may lead to information disclosure of internal infrastructure details. The CVSS score is 5.8 (medium severity), reflecting limited confidentiality impact without direct integrity or availability effects.
Mitigation Recommendations
This vulnerability is patched in HAPI FHIR version 6.9.4. Users should upgrade to version 6.9.4 or later to remediate the issue. Since this is not a cloud service, remediation depends on applying the official fix. Until upgraded, restrict network access to the FHIR Validator HTTP service to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T13:43:14.368Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cbff80e6bfc5ba1d29f7c0
Added to database: 3/31/2026, 5:08:16 PM
Last enriched: 4/8/2026, 4:13:33 AM
Last updated: 5/15/2026, 10:33:57 PM
Views: 86
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.