Unauthenticated attackers can exploit HAPI FHIR to steal API keys and authentication tokens for other healthcare servers, potentially compromising highly sensitive patient data across the interoperability network.

The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint vulnerable to SSRF. Due to a URL prefix matching flaw in ManagedWebAccessUtils.getServer(), an attacker can redirect outbound requests to a malicious server and capture Bearer tokens or API keys intended for legitimate FHIR endpoints.

This vulnerability directly threatens the security of healthcare data exchange. By stealing credentials, an attacker can gain unauthorized access to secondary FHIR servers, leading to large-scale data exfiltration of Protected Health Information (PHI). The CVSS score of 9.3 indicates a critical risk to the confidentiality of the healthcare interoperability ecosystem.

Immediate Action: Update HAPI FHIR to version 6.9.4 or later to fix the URL prefix matching logic and secure the validator endpoint.

Proactive Monitoring: Audit outbound connection logs from the FHIR Validator service and check for requests to unknown or suspicious external domains.

Compensating Controls: Use a Web Application Firewall (WAF) to block access to the /loadIG endpoint from untrusted sources and enforce strict egress whitelisting for the FHIR server.

Public Exploit Available: No

Securing healthcare interoperability is paramount. The ability to steal credentials for other systems through a validator service is a significant architectural risk. Organizations must apply the version 6.9.4 patch immediately to protect patient data and maintain trust in the FHIR infrastructure.