Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.
AnalysisAI
Server-side request forgery in Medplum versions prior to 5.1.14 lets authenticated users abuse the FHIR Subscription worker to make the server issue HTTP POST requests to arbitrary internal endpoints. Because the worker delivers full FHIR resource payloads to attacker-chosen URLs, attackers can target cloud instance metadata services (e.g., AWS IMDS), internal databases, and orchestrator APIs to steal IAM credentials and exfiltrate patient health records. No public exploit identified at time of analysis, but a vendor patch and a VulnCheck advisory are available.
Technical ContextAI
Medplum is an open-source FHIR-native healthcare developer platform that processes clinical resources through asynchronous workers. FHIR Subscription resources (HL7 FHIR R4) let clients register a channel.endpoint URL that the server invokes whenever a matching resource changes - and Medplum's subscription worker performed those outbound POSTs without validating the destination, allowing the host portion to be replaced with internal-only addresses. This is a textbook CWE-918 Server-Side Request Forgery: the trusted server becomes a proxy, and because the request body is the full FHIR resource, the SSRF doubles as an exfiltration channel rather than a blind probe. Affected scope is cpe:2.3:a:medplum:medplum:* up to but not including 5.1.14.
RemediationAI
Vendor-released patch: Medplum 5.1.14 - upgrade immediately using https://github.com/medplum/medplum/releases/tag/v5.1.14 (fix commit 87595e98d756d840d70d9dc87beb9d4f9e158b59, PR #9334). If you cannot upgrade right away, restrict who can create or update FHIR Subscription resources via Medplum AccessPolicy so that only fully trusted project administrators hold Subscription write rights, accepting that this disables self-service webhook integrations for other roles. At the infrastructure layer, enforce IMDSv2 with hop-limit 1 on EC2 hosts running Medplum and apply egress firewall rules that block the worker from reaching RFC1918 ranges, 169.254.0.0/16 (link-local/metadata), and internal service CIDRs - be aware this will also break any legitimate subscriptions pointing at private webhook receivers and may require an allow-list. Audit existing Subscription resources for suspicious endpoint URLs and rotate any IAM credentials that were reachable from the Medplum worker before patching.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33998
GHSA-w852-7r27-32c6