CVE-2026-33180: HAPI FHIR HTTP authentication leak in redirects

March 18, 2026 (updated March 25, 2026)

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value.

Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client’s request.

References

github.com/advisories/GHSA-p7m9-v2cm-2h7m
github.com/hapifhir/org.hl7.fhir.core
github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m
nvd.nist.gov/vuln/detail/CVE-2026-33180

Code Behaviors & Features

Detect and mitigate CVE-2026-33180 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →