PatchSiren cyber security CVE debrief
CVE-2026-49485 hapifhir CVE debrief
CVE-2026-49485 is a denial of service vulnerability in HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare interoperability. The vulnerability exists in the FHIRPathEngine, which accepts arbitrary FHIRPath expressions and evaluates them without input validation. Specifically, the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can exploit this by sending a resource containing a malicious regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing a denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules.
- Vendor
- hapifhir
- Product
- org.hl7.fhir.core
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Organizations using HAPI FHIR for healthcare interoperability should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to versions 6.9.9 or 6.9.4.2, which fix the issue.
Technical summary
The vulnerability exists in the FHIRPathEngine of HAPI FHIR, where user-controlled regular expressions are passed to Java's Pattern.compile() and String.replaceAll() without proper input validation. This allows an attacker to cause a denial of service by sending a malicious regex pattern that causes catastrophic backtracking, exhausting CPU resources. The FHIRPath functions matches(), matchesFull(), and replaceMatches() are specifically affected, passing user-controlled regular expressions through an incomplete timeout utility. Organizations should be aware of this vulnerability and take steps to mitigate it, including upgrading to versions 6.9.9 or 6.9.4.2.
Defensive priority
High
Recommended defensive actions
- Upgrade to HAPI FHIR version 6.9.9 or 6.9.4.2
- Implement input validation for FHIRPath expressions
- Monitor FHIR Validator HTTP endpoint and affected modules for suspicious activity
- Consider implementing rate limiting or IP blocking for FHIR Validator HTTP endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T22:17:16.893Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Limited information is available about the vulnerability, and further investigation is recommended.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:16.893Z and has not been modified since then.