HAPI FHIR Auth Token Theft (CVE-2026-34361)

Patch now - CVE-2026-34361 is a critical SSRF and credential theft vulnerability in HAPI FHIR library prior to 6.9.4 that lets an unauthenticated attacker trick the Validator’s /loadIG endpoint into leaking stored Bearer tokens, API keys, or Basic auth credentials to an attacker-controlled server.

Overview

A critical vulnerability, CVE-2026-34361, exists in the HAPI FHIR open-source library prior to version 6.9.4. HAPI FHIR is widely used to build healthcare data interoperability systems. The flaw combines an insecure endpoint with a logic error, enabling attackers to steal sensitive authentication credentials.

Vulnerability Details

The HAPI FHIR Validator component includes an HTTP service with an unauthenticated /loadIG endpoint. This endpoint can be forced to make outbound HTTP requests to a URL specified by an attacker. Separately, a flaw exists in how the system matches URLs for credential lookup: it uses a startsWith() function to find which set of stored credentials (like Bearer tokens, API keys, or Basic auth) to use for an outgoing request.

By registering a malicious domain whose URL begins with (prefix-matches) the address of a legitimate, configured FHIR server, an attacker can trick the vulnerable system. When the /loadIG endpoint fetches the attacker’s URL, it will incorrectly attach the legitimate server’s authentication tokens to that malicious request. The attacker then captures these tokens.

Impact

The impact is severe. Successfully exploited, this vulnerability allows an unauthenticated remote attacker to steal credentials that provide access to backend FHIR servers. These servers contain Protected Health Information (PHI) and other sensitive medical data. With stolen tokens, an attacker could read, modify, or exfiltrate patient records, leading to a massive data breach. The attack requires no user interaction and no privileges.

Remediation and Mitigation

The primary and mandatory action is to upgrade HAPI FHIR to version 6.9.4 or later immediately. This version contains the patch that addresses both issues.

If immediate upgrade is impossible, you must disable or block external network access to the FHIR Validator HTTP service in your deployment. Restrict access to this service only to trusted internal networks and ensure it is never exposed to the internet. Review all configured server credentials in your system as a precaution, as they may have been compromised. For the latest on major incidents, you can review recent breach reports.

Security Insight

This vulnerability highlights the persistent danger of “server-side request” capabilities in trusted systems, reminiscent of past SSRF flaws in cloud metadata services. The compounding of an open endpoint with a simple string-matching logic error underscores how minor implementation flaws in supporting utilities can create critical pathways to core authentication secrets. It serves as a reminder that security assessments must include ancillary services and utilities, not just primary application endpoints.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs