CVE-2026-34359 Overview
HAPI FHIR, a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java, contains a critical credential leakage vulnerability in versions prior to 6.9.4. The vulnerability exists in the ManagedWebAccessUtils.getServer() method, which uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Due to the lack of a trailing slash or host boundary check on configured server URLs, an attacker-controlled domain can match the prefix and receive sensitive authentication credentials including Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect.
Critical Impact
Attackers can steal authentication credentials by exploiting improper URL validation in HAPI FHIR, potentially compromising healthcare data systems and gaining unauthorized access to FHIR servers.
Affected Products
- HAPI FHIR versions prior to 6.9.4
- Applications using ManagedWebAccessUtils.getServer() for credential dispatch
- Healthcare systems implementing FHIR interoperability with HAPI FHIR
Discovery Timeline
- 2026-03-31 - CVE-2026-34359 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34359
Vulnerability Analysis
This vulnerability is classified as CWE-346: Origin Validation Error. The flaw stems from improper origin validation when dispatching authentication credentials to remote servers. The ManagedWebAccessUtils.getServer() method uses a simple string prefix comparison to determine whether a target URL should receive authentication credentials.
The vulnerability is particularly dangerous in healthcare environments where FHIR servers handle sensitive patient data. When an application configures a trusted server URL such as http://tx.fhir.org, the prefix matching logic incorrectly trusts any URL that begins with this string, including attacker-controlled domains like http://tx.fhir.org.attacker.com.
The attack requires the attacker to either control a domain that matches the prefix pattern or redirect the victim's HTTP client to such a domain. Once the client follows the redirect, it will automatically send the configured authentication credentials to the attacker's server.
Root Cause
The root cause is the use of String.startsWith() for URL matching without proper host boundary validation. The configured server URLs lack trailing slashes or explicit host boundary checks, allowing subdomain spoofing attacks. For example, a configured URL http://tx.fhir.org will incorrectly match http://tx.fhir.org.attacker.com because the attacker's domain begins with the trusted prefix.
Attack Vector
The attack exploits the network-accessible credential dispatch mechanism in HAPI FHIR. An attacker can exploit this vulnerability through the following sequence:
- Register a domain that begins with a known trusted FHIR server URL (e.g., tx.fhir.org.attacker.com)
- Trick or redirect a HAPI FHIR client to make a request to the attacker-controlled domain
- The vulnerable prefix matching logic identifies the attacker's domain as trusted
- Authentication credentials (Bearer tokens, Basic auth, or API keys) are automatically sent to the attacker
- The attacker captures these credentials and can use them to access legitimate FHIR servers
The vulnerability can be triggered through redirect chains, DNS rebinding, or by manipulating FHIR resource references that point to external URLs. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-34359
Indicators of Compromise
- Outbound HTTP requests to domains that closely resemble trusted FHIR servers but with additional subdomain components
- Authentication credentials appearing in network traffic to unexpected destinations
- Unusual redirect patterns from trusted FHIR endpoints to external domains
- Log entries showing credential dispatch to domains matching patterns like trusted-server.attacker.com
Detection Strategies
- Monitor outbound network connections from HAPI FHIR applications for requests to suspicious domains that match trusted server prefixes
- Implement network security monitoring to detect credential leakage by inspecting Authorization headers in HTTP requests
- Deploy application-level logging to track all credential dispatch events from ManagedWebAccessUtils.getServer()
- Use DNS monitoring to identify newly registered domains that match your trusted FHIR server prefixes
Monitoring Recommendations
- Configure alerts for HTTP requests containing authentication headers sent to domains not on an explicit allow list
- Review application logs for redirect chains that terminate at unexpected destinations
- Monitor for anomalous authentication patterns to your FHIR infrastructure that may indicate compromised credentials
- Implement network egress filtering to restrict outbound connections from healthcare applications
How to Mitigate CVE-2026-34359
Immediate Actions Required
- Upgrade HAPI FHIR to version 6.9.4 or later immediately
- Rotate all authentication credentials (Bearer tokens, API keys, Basic auth passwords) that may have been exposed
- Review application logs to identify any potential credential exposure to untrusted domains
- Implement network egress filtering to restrict outbound connections to known trusted FHIR servers
Patch Information
The vulnerability has been patched in HAPI FHIR version 6.9.4. The patch implements proper URL parsing with host boundary validation, ensuring that credentials are only dispatched to exactly matching hosts rather than any URL that begins with the configured prefix. Users should upgrade to version 6.9.4 or later as documented in the GitHub Security Advisory.
Workarounds
- Configure trusted server URLs with trailing slashes (e.g., http://tx.fhir.org/) to reduce the attack surface
- Implement network-level controls to restrict outbound connections from HAPI FHIR applications to an explicit allow list of trusted domains
- Deploy a web application firewall or proxy to inspect and validate outbound requests containing authentication credentials
- Consider disabling automatic redirect following in HTTP clients where possible
# Example: Update HAPI FHIR dependency in Maven pom.xml
# Update to patched version 6.9.4 or later
# <dependency>
# <groupId>ca.uhn.hapi.fhir</groupId>
# <artifactId>hapi-fhir-base</artifactId>
# <version>6.9.4</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
