CVE-2026-33180
HAPI FHIR HTTP authentication leak in redirects
Description
### Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequent hosts is a problem as this header often contains privacy sensitive information or data that could allow others to impersonate the client's request. ### Patches This issue has been patched in release 6.8.3 ### Workarounds None.
How to fix CVE-2026-33180
To remediate CVE-2026-33180, upgrade the affected package to a fixed version below.
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
- —upgrade to 6.9.0 or later
Is CVE-2026-33180 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (12)
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
- from 0, < 6.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |