CVE-2026-33180
CRITICAL9.8EPSS 0.05%HAPI FHIR HTTP authentication leak in redirects
Published: 3/18/2026Modified: 3/25/2026
Description
### Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. ### Patches This issue has been patched in release 6.8.3 ### Workarounds None.
Affected packages (12)
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.convertorsfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu2from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016mayfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu3from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu3.supportfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.modelfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.r4from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.r4bfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.r5from 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.utilitiesfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.validationfrom 0, < 6.9.0
- Maven/ca.uhn.hapi.fhir:org.hl7.fhir.validation.clifrom 0, < 6.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |