CVE-2026-33180
HIGH
GHSA-p7m9-v2cm-2h7m
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
### Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. ### Patches This issue has been patched in release 6.8.3 ### Workarounds None.
Analysis
A header leakage vulnerability exists in the internal HTTP client of HAPI FHIR Core library that causes sensitive headers (such as authentication tokens) to be forwarded to third-party hosts when following HTTP redirects. Multiple HAPI FHIR packages including org.hl7.fhir.utilities, org.hl7.fhir.convertors, and various FHIR version implementations (DSTU2, DSTU3, R4, R4B, R5) are affected in versions prior to 6.8.3. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Conduct immediate inventory of all systems using HAPI FHIR Core versions prior to 6.8.3 (org.hl7.fhir.utilities, org.hl7.fhir.convertors, DSTU2/DSTU3/R4/R4B/R5 implementations) and isolate affected systems from untrusted networks if possible. Within 7 days: Implement network segmentation and WAF rules to block suspicious redirect patterns; disable HTTP redirects in FHIR client configurations where feasible; rotate all API tokens and authentication credentials that may have been exposed. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today