CVE-2026-34361: FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

March 30, 2026 (updated March 31, 2026)

The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL.

References

github.com/advisories/GHSA-vr79-8m62-wh98
github.com/hapifhir/org.hl7.fhir.core
github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-vr79-8m62-wh98
nvd.nist.gov/vuln/detail/CVE-2026-34361

Code Behaviors & Features

Detect and mitigate CVE-2026-34361 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →