CVE-2026-34361 - Vulnerability Analysis
CriticalCVSS: 9.3Last Updated: March 31, 2026
HAPI FHIR - Authentication Bypass
Published: March 31, 2026Updated: March 31, 2026Remote Exploitable
Overview
HAPI FHIR < 6.9.4 contains an authentication token theft vulnerability caused by an unauthenticated /loadIG endpoint making outbound HTTP requests combined with a flawed URL prefix matching in credential provider, letting attackers steal authentication tokens, exploit requires attacker to control a domain prefix-matching a configured server URL.
Severity & Score
Severity: Critical
CVSS Score: 9.3
Impact
Attackers can steal authentication tokens, leading to unauthorized access to legitimate FHIR servers and sensitive healthcare data.
Mitigation
Update to version 6.9.4 or later.
Related Resources
Details
- CVE ID
- CVE-2026-34361
- Severity
- Critical
- CVSS Score
- 9.3
- Type
- broken_authentication
- Status
- new
CWE
- CWE-552
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N