What is the CVSS score of CVE-2026-55470?

CVE-2026-55470 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Which versions of HAPI FHIR are affected by CVE-2026-55470?

HAPI FHIR-the healthcare data interoperability standard used by medical organizations to exchange patient data-contains a remote denial-of-service vulnerability in its DSTU2 module exploitable…. A patch is available.

How to fix or mitigate CVE-2026-55470?

24 hours: Inventory all HAPI FHIR deployments and identify DSTU2 instances; immediately restrict network access to FHIRPath query endpoints to internal systems only. 7 days: Implement input validation to reject FHIRPath expressions with complex regular expressions; deploy CPU and response-time monitoring with alerts; validate access control effectiveness. 30 days: Evaluate HAPI FHIR upgrade options or alternatives; contact HAPI team for patch timeline; implement permanent architectural controls (rate limiting, query timeouts).

HAPI FHIR CVE-2026-55470

HIGH

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2026-06-17 https://github.com/hapifhir/org.hl7.fhir.core

GHSA-fxj4-p9xp-37v5

Java Denial Of Service

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

vuln.today AI

7.5 HIGH

Unauthenticated network-reachable FHIR endpoint evaluates attacker-supplied regex causing CPU exhaustion; availability-only impact, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 18, 2026 - 01:39 vuln.today

Analysis Generated

Jun 18, 2026 - 01:39 vuln.today

CVE Published

Jun 17, 2026 - 18:47 github-advisory

HIGH 7.5

DescriptionGitHub Advisory

Summary

The fix for CVE-2026-45367 added RegexTimeout protection to the matches() function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In org.hl7.fhir.dstu2, replaceMatches() was updated while matches() at line 2462 still calls the raw String.matches(sw) without any timeout, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU.

Details

Incomplete patch

Within the same file (org.hl7.fhir.dstu2/utils/FHIRPathEngine.java), the two functions were patched inconsistently:

Line 2226 - replaceMatches() - PATCHED:

java

result.add(new StringType(
    RegexTimeout.replaceAll(
        convertToString(focus.get(0)), regex, repl, regexTimeoutMillis)));

Line 2462 - matches() - NOT PATCHED:

java

result.add(new BooleanType(
    convertToString(focus.get(0)).matches(sw)));
// ↑ raw String.matches() - no RegexTimeout, no complexity check

DSTU3 line 2447 - matches() - PATCHED (for comparison):

java

result.add(new BooleanType(
    RegexTimeout.matches(st, sw, regexTimeoutMillis)));

Module-by-module status

Module	`matches()`	`replaceMatches()`
DSTU2	❌ raw `str.matches(sw)`	✅ `RegexTimeout.replaceAll()`
DSTU2016MAY	✅ `RegexTimeout.matches()`	✅
DSTU3	✅ `RegexTimeout.matches()`	✅
R4	✅ `RegexTimeout.matches()`	✅
R4B	✅ `RegexTimeout.matches()`	✅
R5	✅ `RegexTimeout.matches()`	✅

PoC

Requirements: Java 17+, Maven 3.8+

pom.xml dependencies:

xml

<dependency>
    <groupId>ca.uhn.hapi.fhir</groupId>
    <artifactId>org.hl7.fhir.utilities</artifactId>
    <version>6.9.7</version>
</dependency>

Test code (reproduces the exact behaviour of DSTU2 line 2462):

java

import org.hl7.fhir.utilities.regex.RegexTimeout;
import java.util.concurrent.*;

String regex = "((a|b){0,5}){20}";
String input = "a".repeat(25) + "c";    // no match → full backtracking

// ① Patched approach - RegexTimeout terminates at 500 ms
long t1 = System.currentTimeMillis();
try {
    RegexTimeout.matches(input, regex, 500);
} catch (TimeoutException e) {
    System.out.println("RegexTimeout blocked in " +
        (System.currentTimeMillis() - t1) + " ms");
}

// ② DSTU2 line 2462 - raw String.matches(), no timeout
long t2 = System.currentTimeMillis();
input.matches(regex);                   // equivalent to what FHIRPathEngine does
System.out.println("str.matches() ran for " +
    (System.currentTimeMillis() - t2) + " ms with no timeout");

Verified output (JDK 25.0.3, Linux):

RegexTimeout blocked in 508 ms      ← patched modules: attack stopped
str.matches() ran for 1410 ms       ← DSTU2: no timeout, CPU exhausted

The patched approach cuts off the evaluation at 508 ms. The unpatched DSTU2 code runs for 1410 ms on this input with no mechanism to stop it. Longer inputs or more complex patterns produce proportionally worse results.

Impact

Vulnerability type: Regular Expression Denial of Service (ReDoS) causing CPU exhaustion and service disruption.

Who is impacted: Any application using the ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 module that evaluates user-supplied FHIRPath expressions - including the FHIR Validator HTTP endpoint, FHIR servers applying FHIRPath invariants from user-provided resources or profiles, and any system embedding FHIRPathEngine from the DSTU2 module. No authentication is required; an attacker needs only to submit a FHIR resource or FHIRPath expression whose matches() argument contains a catastrophically backtracking regular expression.

Articles & Coverage 1

News 5 New Java Vulnerabilities - 2 Critical, 3 High Severity Jun 18, 2026

AnalysisAI

Regular expression denial of service in HAPI FHIR's DSTU2 FHIRPathEngine allows unauthenticated remote attackers to exhaust server CPU by submitting FHIR resources or FHIRPath expressions containing catastrophically backtracking regexes against the matches() function. This is an incomplete-fix vulnerability stemming from CVE-2026-45367, where the DSTU2 module's matches() at FHIRPathEngine.java line 2462 was left calling raw String.matches() without the RegexTimeout wrapper applied to the other five FHIR version modules. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed FHIR endpoint using DSTU2

Delivery

Craft FHIR resource with malicious matches() regex

Exploit

Submit to validator or FHIRPath sink

Execution

Trigger catastrophic regex backtracking

Persist

Exhaust server CPU

Impact

Repeat to deny service

Access

Identify exposed FHIR endpoint using DSTU2

Delivery

Craft FHIR resource with malicious matches() regex

Exploit

Submit to validator or FHIRPath sink

Execution

Trigger catastrophic regex backtracking

Persist

Exhaust server CPU

Impact

Repeat to deny service

Vulnerability AssessmentAI

Exploitation	Target application must embed HAPI FHIR's org.hl7.fhir.dstu2 FHIRPathEngine (transitively via org.hl7.fhir.convertors, .validation, or .validation.cli at version <=6.9.9) AND expose a code path that evaluates attacker-controlled FHIRPath expressions against attacker-controlled input - typically the FHIR Validator HTTP endpoint, a server applying FHIRPath invariants from user-submitted resources/profiles, or any service calling FHIRPathEngine on untrusted input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 3.1 base score is 7.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, consistent with a network-reachable, unauthenticated, no-interaction DoS affecting availability only - confidentiality and integrity are unaffected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker submits a FHIR resource, profile, or FHIRPath invariant to a public FHIR Validator endpoint or any HAPI-backed server that runs DSTU2 FHIRPath, embedding an expression such as matches('((a\|b){0,5}){20}') applied to a non-matching string. The server enters exponential backtracking on the regex engine, pinning a CPU core for seconds to minutes; the reporter's PoC on the GHSA advisory demonstrates exactly this. …
Remediation	Vendor-released patch: 6.9.10 - upgrade all four affected Maven artifacts (org.hl7.fhir.dstu2, org.hl7.fhir.convertors, org.hl7.fhir.validation, org.hl7.fhir.validation.cli) from <=6.9.9 to 6.9.10 or later via your dependency manager and rebuild downstream applications including the FHIR Validator CLI and any embedded HAPI services; advisory at https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fxj4-p9xp-37v5. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all HAPI FHIR deployments and identify DSTU2 instances; immediately restrict network access to FHIRPath query endpoints to internal systems only. …

Threat intelligence, references, and detailed analysis are available after sign-in.