<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-34359 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-34359/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-34359/feed.xml" rel="self" type="application/rss+xml"/><item><title>HAPI FHIR Credential Leakage via Improper URL Prefix Matching</title><link>https://feed.craftedsignal.io/briefs/2024-01-hapi-fhir-credential-leak/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-hapi-fhir-credential-leak/</guid><description>HAPI FHIR Core is vulnerable to authentication credential leakage due to improper URL prefix matching on HTTP redirects, allowing attackers to intercept credentials by hosting a domain that is a prefix of a configured FHIR server URL.</description><content:encoded><![CDATA[<p>HAPI FHIR Core versions prior to 6.9.4 are vulnerable to an authentication credential leakage issue. The vulnerability resides in the <code>ManagedWebAccessUtils.getServer()</code> function, which uses <code>String.startsWith()</code> to match request URLs against configured server URLs. Due to the lack of a proper host boundary check, an attacker can register a domain that is a prefix of a legitimate FHIR server URL (e.g., <code>http://tx.fhir.org.attacker.com</code> matching <code>http://tx.fhir.org</code>). When the application follows a redirect to this attacker-controlled domain, sensitive credentials such as Bearer tokens, Basic authentication credentials, or API keys are inadvertently sent to the attacker. This issue affects deployments that configure server authentication in <code>fhir-settings.json</code> and make outbound HTTP requests to terminology servers. The vulnerability was introduced due to the removal of a host-equality check for redirects in <code>SimpleHTTPClient</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The application makes an HTTP request to a configured FHIR server (e.g., <code>http://tx.fhir.org/ValueSet/$expand</code>).</li>
<li>The legitimate server responds with an HTTP 302 redirect to an attacker-controlled domain that shares a prefix with the legitimate server (e.g., <code>http://tx.fhir.org.attacker.com/capture</code>).</li>
<li>The HTTP client (either <code>SimpleHTTPClient</code> or <code>ManagedFhirWebAccessor</code> with OkHttpClient) follows the redirect.</li>
<li>The <code>ManagedWebAccessUtils.getServer()</code> function is called to determine if authentication headers should be added to the request.</li>
<li>Due to the <code>startsWith()</code> check, the attacker's domain matches the configured server URL.</li>
<li>The <code>ServerDetailsPOJOHTTPAuthProvider.getHeaders()</code> function retrieves configured credentials (Bearer token, Basic auth, or API key).</li>
<li>The HTTP client adds the retrieved authentication headers to the redirected request.</li>
<li>The request, including the sensitive credentials, is sent to the attacker-controlled server. The attacker captures these credentials.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to steal authentication credentials, including Bearer tokens, Basic authentication passwords, API keys, and custom authentication headers configured for FHIR terminology servers. Stolen credentials enable the attacker to impersonate legitimate users, potentially accessing or modifying clinical terminology data on the legitimate FHIR server. This can lead to unauthorized data access, data manipulation, and potential compliance violations. The vulnerability impacts any FHIR Validator deployment that configures server authentication and makes outbound HTTP requests, making it a widespread concern in healthcare IT. It may also allow TLS downgrade.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the vendor-supplied patch to upgrade to HAPI FHIR Core version 6.9.4 or later to remediate CVE-2026-34359.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious FHIR Redirect</code> to identify potential exploitation attempts based on redirects to unusual domains.</li>
<li>Monitor web server logs for HTTP redirects to domains containing the names of configured FHIR servers as a subdomain using the <code>Detect FHIR Server Subdomain Redirect</code> Sigma rule.</li>
<li>Implement proper URL host boundary validation in <code>ManagedWebAccessUtils.getServer()</code> and <code>ManagedWebAccess.isLocal()</code> as described in the advisory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>hapi-fhir</category><category>credential-leakage</category><category>redirect</category><category>CVE-2026-34359</category></item></channel></rss>