{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34360", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.368Z", "datePublished": "2026-03-31T16:56:05.034Z", "dateUpdated": "2026-03-31T16:56:05.034Z"}, "containers": {"cna": {"title": "HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h"}], "affected": [{"vendor": "hapifhir", "product": "org.hl7.fhir.core", "versions": [{"version": "< 6.9.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T16:56:05.034Z"}, "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4."}], "source": {"advisory": "GHSA-3ww8-jw56-9f5h", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services, cloud metadata endpoints, and map network topology through error-based information leakage. With explore=true (the default for this code path), each request triggers multiple outbound HTTP calls, amplifying reconnaissance capability. This issue has been patched in version 6.9.4."}], "id": "CVE-2026-34360", "lastModified": "2026-03-31T17:16:32.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T17:16:32.767", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3ww8-jw56-9f5h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.4)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "org.hl7.fhir.core", "source": "cna", "vendor": "hapifhir"}, "product": "hl7_fhir_core", "vendor": "hapifhir"}], "analysis": {"en": {"generated_at": "2026-03-31T18:22:12.234674+00:00", "value": {"mitigation_remediation": ["Apply the official patch to upgrade HAPI FHIR to version 6.9.4 or newer.", "Ensure that the /loadIG endpoint is disabled or protected behind authentication if the service is publicly exposed."], "summary": {"action": "Immediate Patch", "impact": "Blind Server\u2011Side Request Forgery enabling internal network reconnaissance"}, "threat_synthesis": {"affected_systems": "HAPI FHIR, the open\u2011source HL7 FHIR implementation in Java, is affected. All releases prior to version 6.9.4 of the org.hl7.fhir.core component are vulnerable. The flaw is present in the FHIR Validator HTTP service that includes the /loadIG endpoint.", "description_and_impact": "The HAPI FHIR Validator HTTP service contains a blind Server\u2011Side Request Forgery flaw in the /loadIG endpoint that accepts a user supplied URL without validating the hostname, scheme, or domain. Because the endpoint is unauthenticated, an attacker who can reach the validator can supply arbitrary internal URLs. The response leaks hidden error information and, when the explore parameter remains true, the code triggers multiple outbound calls, amplifying the amount of information returned.", "risk_and_exploitability": "The CVSS v3 score of 5.8 indicates medium severity. EPSS data is not available, and it is not listed in the CISA KEV catalog, but the flaw is exploitable over the network by any unauthenticated user with access to the validator service. Because the vulnerability requires only network connectivity and a crafted JSON request, an attacker can map internal services, probe cloud metadata endpoints, or discover hostnames through error\u2011based information leakage. The lack of authentication, combined with the server\u2011initiated outbound requests, makes this a valuable reconnaissance vector for attackers building an internal foothold."}}}}, "created": "2026-03-31T19:53:52.865467+00:00", "updated": "2026-03-31T20:37:50.479685+00:00", "vendors": ["hapifhir", "hapifhir$PRODUCT$hl7_fhir_core"]}