HTTP CVE-2026-33180
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (https://github.com/hapifhir/org.hl7.fhir.core).
CVSS VectorVendor: https://github.com/hapifhir/org.hl7.fhir.core
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.convertors (4 direct, 0 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (2 direct, 3 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (2 direct, 3 indirect)
- 6 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (3 direct, 3 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3.support (2 direct, 3 indirect)
Ecosystem-wide dependent count for version 6.9.0 and other introduced versions.
DescriptionCVE.org
Impact
When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value.
Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request.
Patches
This issue has been patched in release 6.8.3
Workarounds
None.
AnalysisAI
A header leakage vulnerability exists in the internal HTTP client of HAPI FHIR Core library that causes sensitive headers (such as authentication tokens) to be forwarded to third-party hosts when following HTTP redirects. Multiple HAPI FHIR packages including org.hl7.fhir.utilities, org.hl7.fhir.convertors, and various FHIR version implementations (DSTU2, DSTU3, R4, R4B, R5) are affected in versions prior to 6.8.3. With a CVSS score of 9.8 (Critical), this vulnerability allows network-based attackers to capture sensitive credentials without authentication or user interaction, though no EPSS score, KEV listing, or public POC is currently documented.
Technical ContextAI
This vulnerability affects the HAPI FHIR Core library, which is a Java implementation of the HL7 FHIR (Fast Healthcare Interoperability Resources) standard used widely in healthcare systems for data exchange. The affected packages include pkg:maven/ca.uhn.hapi.fhir:org.hl7.fhir.utilities, org.hl7.fhir.convertors, and implementations for FHIR versions DSTU2, DSTU2016may, DSTU3, R4, R4B, and R5. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically manifesting as improper handling of HTTP headers during redirect scenarios. The internal HTTP client fails to sanitize or strip sensitive headers when processing 30X redirect responses, causing headers originally intended for the initial host to be transmitted to redirect destinations specified in the Location header, potentially crossing trust boundaries.
RemediationAI
Upgrade all affected HAPI FHIR packages to version 6.8.3 or later, as documented in the GitHub security advisory at https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m. Organizations using Maven should update their pom.xml dependencies for ca.uhn.hapi.fhir artifacts to reference version 6.8.3 or higher and rebuild affected applications. According to the advisory, no workarounds are available for versions prior to 6.8.3, making immediate patching the only effective mitigation. As an additional defense-in-depth measure, review HTTP client configurations to disable automatic redirect following where not strictly necessary, and implement network segmentation to limit exposure of FHIR servers to untrusted redirect destinations. Healthcare organizations should assess whether any sensitive headers may have been leaked in historical redirect scenarios and consider credential rotation if exposure is suspected.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-p7m9-v2cm-2h7m