Skip to main content

HTTP CVE-2026-33180

HIGH
Information Exposure (CWE-200)
2026-03-18 https://github.com/hapifhir/org.hl7.fhir.core GHSA-p7m9-v2cm-2h7m
7.5
CVSS 3.1 · Vendor: https://github.com/hapifhir/org.hl7.fhir.core
Share

Severity by source

Vendor (https://github.com/hapifhir/org.hl7.fhir.core) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (https://github.com/hapifhir/org.hl7.fhir.core).

CVSS VectorVendor: https://github.com/hapifhir/org.hl7.fhir.core

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 21:23 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:15 vuln.today
CVE Published
Mar 18, 2026 - 20:07 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.convertors (4 direct, 0 indirect)
  • 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (2 direct, 3 indirect)
  • 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (2 direct, 3 indirect)
  • 6 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (3 direct, 3 indirect)
  • 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3.support (2 direct, 3 indirect)

Ecosystem-wide dependent count for version 6.9.0 and other introduced versions.

DescriptionCVE.org

Impact

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value.

Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request.

Patches

This issue has been patched in release 6.8.3

Workarounds

None.

AnalysisAI

A header leakage vulnerability exists in the internal HTTP client of HAPI FHIR Core library that causes sensitive headers (such as authentication tokens) to be forwarded to third-party hosts when following HTTP redirects. Multiple HAPI FHIR packages including org.hl7.fhir.utilities, org.hl7.fhir.convertors, and various FHIR version implementations (DSTU2, DSTU3, R4, R4B, R5) are affected in versions prior to 6.8.3. With a CVSS score of 9.8 (Critical), this vulnerability allows network-based attackers to capture sensitive credentials without authentication or user interaction, though no EPSS score, KEV listing, or public POC is currently documented.

Technical ContextAI

This vulnerability affects the HAPI FHIR Core library, which is a Java implementation of the HL7 FHIR (Fast Healthcare Interoperability Resources) standard used widely in healthcare systems for data exchange. The affected packages include pkg:maven/ca.uhn.hapi.fhir:org.hl7.fhir.utilities, org.hl7.fhir.convertors, and implementations for FHIR versions DSTU2, DSTU2016may, DSTU3, R4, R4B, and R5. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically manifesting as improper handling of HTTP headers during redirect scenarios. The internal HTTP client fails to sanitize or strip sensitive headers when processing 30X redirect responses, causing headers originally intended for the initial host to be transmitted to redirect destinations specified in the Location header, potentially crossing trust boundaries.

RemediationAI

Upgrade all affected HAPI FHIR packages to version 6.8.3 or later, as documented in the GitHub security advisory at https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m. Organizations using Maven should update their pom.xml dependencies for ca.uhn.hapi.fhir artifacts to reference version 6.8.3 or higher and rebuild affected applications. According to the advisory, no workarounds are available for versions prior to 6.8.3, making immediate patching the only effective mitigation. As an additional defense-in-depth measure, review HTTP client configurations to disable automatic redirect following where not strictly necessary, and implement network segmentation to limit exposure of FHIR servers to untrusted redirect destinations. Healthcare organizations should assess whether any sensitive headers may have been leaked in historical redirect scenarios and consider credential rotation if exposure is suspected.

Vendor StatusVendor

Share

CVE-2026-33180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy