HAPI FHIR is a Java-based implementation of the HL7 FHIR standard widely used for healthcare interoperability. In versions prior to 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated endpoint named /loadIG. This endpoint allows external parties to trigger outbound HTTP requests to arbitrary URLs. The vulnerability arises from a flawed implementation in the credential provider component (ManagedWebAccessUtils.getServer()), which uses a startsWith() method for URL prefix matching. This logic flaw enables an attacker to register a domain name that prefix-matches a legitimate FHIR server URL configured in the system. When the vulnerable service makes requests to the attacker-controlled domain, it inadvertently sends stored authentication tokens (Bearer tokens, Basic Auth credentials, API keys) to the attacker. These tokens can then be stolen and used to access legitimate FHIR servers with elevated privileges. The vulnerability is classified under CWE-552, indicating files or directories accessible to external parties, but here it manifests as unauthorized disclosure of sensitive tokens via crafted HTTP requests. The CVSS v3.1 score is 9.3 (critical), reflecting the high impact on confidentiality, ease of exploitation without authentication or user interaction, and the broad scope of affected systems using the vulnerable library. No known exploits in the wild have been reported yet, but the severity and simplicity of exploitation make this a significant threat to healthcare data security. The issue was publicly disclosed and patched in version 6.9.4 of HAPI FHIR.

The primary impact of CVE-2026-34361 is the unauthorized disclosure of sensitive authentication tokens used to access FHIR servers. This compromises the confidentiality of protected health information (PHI) and other sensitive healthcare data accessible via these servers. Attackers gaining these tokens can impersonate legitimate clients, perform unauthorized queries, modify data if tokens allow, or disrupt healthcare workflows. Although integrity impact is rated lower, stolen tokens could enable limited unauthorized modifications depending on token privileges. Availability is not directly affected by this vulnerability. Globally, healthcare organizations relying on HAPI FHIR for interoperability and data exchange are at risk of data breaches, regulatory non-compliance (e.g., HIPAA, GDPR), reputational damage, and potential financial penalties. The unauthenticated nature and lack of user interaction required for exploitation increase the likelihood of automated attacks and large-scale token theft campaigns. This threat undermines trust in healthcare data exchange platforms and could facilitate further attacks such as ransomware or fraud if attackers leverage stolen tokens for lateral movement within healthcare networks.

Organizations should immediately upgrade all HAPI FHIR deployments to version 6.9.4 or later, where this vulnerability is patched. Until upgrades are completed, restrict access to the /loadIG endpoint using network-level controls such as firewalls or API gateways to prevent unauthenticated external access. Review and audit all configured FHIR server URLs to ensure no prefix-overlapping domains exist that could be exploited. Implement strict validation and allowlisting of outbound HTTP requests initiated by the FHIR Validator service. Rotate all authentication tokens (Bearer, Basic, API keys) used by FHIR clients and servers after patching to invalidate any potentially stolen credentials. Employ monitoring and alerting for unusual outbound HTTP requests and token usage patterns. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint. Educate development and security teams about secure URL matching practices to avoid similar logic flaws in future implementations. Finally, conduct penetration testing and code reviews focused on authentication token handling and external request mechanisms.