CVE-2026-55471: CWE-611: Improper Restriction of XML External Entity Reference in hapifhir org.hl7.fhir.core
A vulnerability in HAPI FHIR's org.hl7.fhir.core prior to version 6.9.10 allows XML External Entity (XXE) injection due to improper restriction of external entity references in XML transformations. This can lead to local file disclosure and blind XXE or SSRF attacks to arbitrary URLs accessible from the host. The issue is fixed in version 6.9.10.
AI Analysis
Technical Summary
HAPI FHIR versions before 6.9.10 in the org.hl7.fhir.core component contain an XML External Entity (XXE) vulnerability (CWE-611) in the saxonTransform(...) method of org.hl7.fhir.utilities.XsltUtilities. The vulnerability arises because the code instantiates net.sf.saxon.TransformerFactoryImpl() without restricting ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET, enabling attackers who can control or tamper with the transformed XML to perform XXE attacks. This can result in local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. The vulnerability is addressed in version 6.9.10.
Potential Impact
Exploitation of this vulnerability can lead to disclosure of local files on the host system and blind XML External Entity or Server-Side Request Forgery (SSRF) attacks to arbitrary URLs accessible from the host. This can compromise confidentiality and potentially allow attackers to gather sensitive information or interact with internal network resources.
Mitigation Recommendations
Upgrade to HAPI FHIR version 6.9.10 or later, where this vulnerability is fixed by properly restricting ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET in the XML transformer factory. Patch status is confirmed fixed in 6.9.10. No other mitigation is indicated by the vendor advisory.
CVE-2026-55471: CWE-611: Improper Restriction of XML External Entity Reference in hapifhir org.hl7.fhir.core
Description
A vulnerability in HAPI FHIR's org.hl7.fhir.core prior to version 6.9.10 allows XML External Entity (XXE) injection due to improper restriction of external entity references in XML transformations. This can lead to local file disclosure and blind XXE or SSRF attacks to arbitrary URLs accessible from the host. The issue is fixed in version 6.9.10.
CVSS v4.0
Score 8.7high
Affected software
pkg:maven/org.hl7.fhir/org.hl7.fhir.coreRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
HAPI FHIR versions before 6.9.10 in the org.hl7.fhir.core component contain an XML External Entity (XXE) vulnerability (CWE-611) in the saxonTransform(...) method of org.hl7.fhir.utilities.XsltUtilities. The vulnerability arises because the code instantiates net.sf.saxon.TransformerFactoryImpl() without restricting ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET, enabling attackers who can control or tamper with the transformed XML to perform XXE attacks. This can result in local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. The vulnerability is addressed in version 6.9.10.
Potential Impact
Exploitation of this vulnerability can lead to disclosure of local files on the host system and blind XML External Entity or Server-Side Request Forgery (SSRF) attacks to arbitrary URLs accessible from the host. This can compromise confidentiality and potentially allow attackers to gather sensitive information or interact with internal network resources.
Mitigation Recommendations
Upgrade to HAPI FHIR version 6.9.10 or later, where this vulnerability is fixed by properly restricting ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET in the XML transformer factory. Patch status is confirmed fixed in 6.9.10. No other mitigation is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-16T22:10:37.608Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4ec4a5c9d9e3dbe3c8d48e
Added to database: 07/08/2026, 21:44:05 UTC
Last enriched: 07/08/2026, 21:58:32 UTC
Last updated: 07/08/2026, 21:58:32 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.