CVE-2026-55471
HAPI FHIR · org.hl7.fhir.core
A vulnerability in the HAPI FHIR core library allows for XML External Entity (XXE) injection, potentially leading to unauthorized information disclosure.
Executive summary
An unauthenticated XML External Entity (XXE) injection vulnerability in the HAPI FHIR core library poses a critical risk of sensitive data exposure.
Vulnerability
This vulnerability (CWE-611) involves the improper restriction of XML External Entity references. An unauthenticated attacker can supply malicious XML input to the application, which, if processed by the vulnerable parser, may result in the disclosure of local files or internal network resources.
Business impact
The exploitation of this vulnerability could lead to significant data breaches, as attackers may gain unauthorized access to sensitive healthcare data stored within the FHIR repository. With a CVSS score of 8.7, this is a high-severity issue that threatens the confidentiality of patient information and compliance with healthcare data protection standards.
Remediation
Immediate Action: Upgrade the org.hl7.fhir.core library to version 6.9.10 or later immediately to implement the required XML parsing restrictions.
Proactive Monitoring: Monitor application logs for suspicious inbound XML traffic and unusual outbound network requests originating from the application server.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block XML payloads containing DTD (Document Type Definition) or external entity references.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the high CVSS score and the potential for unauthorized data access, organizations utilizing HAPI FHIR must prioritize this update. Patching is the only reliable mitigation; ensure all development and production environments are updated to version 6.9.10 immediately to eliminate the XXE vector.