CVE-2026-34359 is a high-severity security vulnerability in ca.uhn.hapi.fhir:org.hl7.fhir.core (maven), affecting versions < 6.9.4. It is fixed in 6.9.4.
Summary ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a trailing slash or host boundary check, an attacker-controlled domain like http://tx.fhir.org.attacker.com matches the prefix and receives Bearer tokens, Basic auth credentials, or API keys when the HTTP client follows a redirect to that domain. Details The root cause is in ManagedWebAccessUtils.getServer() at org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/http/ManagedWebAccessUtils.java:26: The configured production terminology server URL is defined without a trailing slash in FhirSettingsPOJO.java:19: This means: "http://tx.fhir.org.attacker.com/capture".startsWith("http://tx.fhir.org") → true "http://tx.fhir.org:8080/evil".startsWith("http://tx.fhir.org") → true Exploit chain via SimpleHTTPClient (redirect path): SimpleHTTPClient.get() (SimpleHTTPClient.java:68-105) makes a request to http://tx.fhir.org/ValueSet/$expand On each redirect, the loop calls getHttpGetConnection(url, accept) (line 84) → setHeaders(connection) (line 117) setHeaders() (line 122-133) calls authProvider.canProvideHeaders(url) and authProvider.getHeaders(url) on the redirect target URL ServerDetailsPOJOHTTPAuthProvider.getServerDetails() (line 83-84) delegates to ManagedWebAccessUtils.getServer(url.toString(), servers) The startsWith() check matches http://tx.fhir.org.attacker.com against http://tx.fhir.org Credentials are dispatched to the attacker's server via ServerDetailsPOJOHTTPAuthProvider.getHeaders() (lines 38-58): Bearer tokens: Authorization: Bearer {token} Basic auth: Authorization: Basic {base64(user:pass)} API keys: Api-Key: {apikey} Custom headers from server config Note: An earlier fix (commit 6b615880 "Strip headers on redirect") added an isNotSameHost() check, but this was removed in commit 3871cc69 ("Rework authorization providers in ManagedWebAccess"). The current code on master has no host validation during redirect following. Exploit chain via ManagedFhirWebAccessor (OkHttp path): ManagedFhirWebAccessor.httpCall() (line 81-112) sets auth headers via requestWithAuthorizationHeaders() before passing the request to OkHttpClient. OkHttpClient follows redirects by default (up to 20) and carries the pre-set auth headers to all redirect targets. The same startsWith() check in canProvideHeaders() applies. The same vulnerable pattern also exists in ManagedWebAccess.isLocal() (line 214), where url.startsWith(server.getUrl()) is used to determine whether HTTP (non-TLS) access is allowed, potentially enabling TLS downgrade for attacker-controlled domains that match the prefix. PoC Step 1: Verify the prefix match behavior Step 2: Demonstrate credential dispatch to wrong host Given a fhir-settings.json configuration at ~/.fhir/fhir-settings.json: When SimpleHTTPClient.get("http://tx.fhir.org/ValueSet/$expand") follows a 302 redirect to http://tx.fhir.org.attacker.com/capture: setHeaders() is called with the redirect target URL authProvider.canProvideHeaders(new URL("http://tx.fhir.org.attacker.com/capture")) returns true authProvider.getHeaders(...) returns {"Authorization": "Bearer secret-bearer-token-12345"} The Authorization header with the secret token is sent to tx.fhir.org.attacker.com Step 3: Attacker captures the credential Impact Credential theft: Bearer tokens, Basic authentication passwords, API keys, and custom authentication headers configured for FHIR terminology servers can be exfiltrated by an attacker who can inject a redirect (via MITM, compromised CDN, or DNS poisoning). Impersonation: Stolen credentials allow an attacker to make authenticated requests to the legitimate FHIR server, potentially accessing or modifying clinical terminology data. Broad exposure: The FHIR Validator is widely used in healthcare IT for validating FHIR resources. Any deployment that configures server authentication in fhir-settings.json and makes outbound HTTP requests to terminology servers is affected. TLS downgrade: The same startsWith() pattern in ManagedWebAccess.isLocal() could allow an attacker-controlled domain to be treated as "local," bypassing the HTTPS enforcement. Recommended Fix Replace the startsWith() check in ManagedWebAccessUtils.getServer() with proper URL host boundary validation: Apply the same fix to ManagedWebAccess.isLocal() at line 214 and the three-argument getServer() overload at line 14. Additionally, consider re-introducing the host-equality check for redirects in SimpleHTTPClient (as was previously implemented in commit 6b615880 but removed in 3871cc69) to provide defense-in-depth against credential leakage on cross-origin redirects.
CVE-2026-34359 has a CVSS score of 7.4 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (6.9.4). Upgrading removes the vulnerable code path.
maven
ca.uhn.hapi.fhir:org.hl7.fhir.core (< 6.9.4)ca.uhn.hapi.fhir:org.hl7.fhir.utilities (< 6.9.4)ca.uhn.hapi.fhir:org.hl7.fhir.core → 6.9.4 (maven)ca.uhn.hapi.fhir:org.hl7.fhir.utilities → 6.9.4 (maven)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-34359 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-34359 is reachable in your applications. Get a demo
Upgrade the following packages to resolve this vulnerability:
ca.uhn.hapi.fhir:org.hl7.fhir.core to 6.9.4 or laterca.uhn.hapi.fhir:org.hl7.fhir.utilities to 6.9.4 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-34359 is a high-severity security vulnerability in ca.uhn.hapi.fhir:org.hl7.fhir.core (maven), affecting versions < 6.9.4. It is fixed in 6.9.4.
CVE-2026-34359 has a CVSS score of 7.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
ca.uhn.hapi.fhir:org.hl7.fhir.core (maven) (versions < 6.9.4)ca.uhn.hapi.fhir:org.hl7.fhir.utilities (maven) (versions < 6.9.4)Yes. CVE-2026-34359 is fixed in 6.9.4. Upgrade to this version or later.
Whether CVE-2026-34359 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
ca.uhn.hapi.fhir:org.hl7.fhir.core to 6.9.4 or laterca.uhn.hapi.fhir:org.hl7.fhir.utilities to 6.9.4 or later