CVE-2026-33180

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 23:16

Updated : 2026-03-23 14:32

NVD link : CVE-2026-33180

Mitre link : CVE-2026-33180

CVE.ORG link : CVE-2026-33180

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-33180", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T23:16:45.020", "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available."}, {"lang": "es", "value": "HAPI FHIR es una implementaci\u00f3n completa del est\u00e1ndar HL7 FHIR para la interoperabilidad sanitaria en Java. Antes de la versi\u00f3n 6.9.0, al establecer encabezados en las solicitudes HTTP, el cliente HTTP interno env\u00eda los encabezados primero al host en la URL inicial, pero tambi\u00e9n, si se le pide que siga redireccionamientos y se devuelve un c\u00f3digo de respuesta HTTP 30X, al host mencionado en la URL en el valor del encabezado de respuesta Location:. Enviar el mismo conjunto de encabezados a hosts subsiguientes es un problema, ya que este encabezado a menudo contiene informaci\u00f3n sensible a la privacidad o datos que podr\u00edan permitir a otros suplantar la solicitud del cliente. Este problema ha sido parcheado en la versi\u00f3n 6.9.0. No se conocen soluciones alternativas disponibles."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security-advisories@github.com"}