PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49485 hapifhir CVE debrief

CVE-2026-49485 is a denial of service vulnerability in HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare interoperability. The vulnerability exists in the FHIRPathEngine, which accepts arbitrary FHIRPath expressions and evaluates them without input validation. Specifically, the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can exploit this by sending a resource containing a malicious regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing a denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules.

Vendor
hapifhir
Product
org.hl7.fhir.core
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Organizations using HAPI FHIR for healthcare interoperability should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to versions 6.9.9 or 6.9.4.2, which fix the issue.

Technical summary

The vulnerability exists in the FHIRPathEngine of HAPI FHIR, where user-controlled regular expressions are passed to Java's Pattern.compile() and String.replaceAll() without proper input validation. This allows an attacker to cause a denial of service by sending a malicious regex pattern that causes catastrophic backtracking, exhausting CPU resources. The FHIRPath functions matches(), matchesFull(), and replaceMatches() are specifically affected, passing user-controlled regular expressions through an incomplete timeout utility. Organizations should be aware of this vulnerability and take steps to mitigate it, including upgrading to versions 6.9.9 or 6.9.4.2.

Defensive priority

High

Recommended defensive actions

  • Upgrade to HAPI FHIR version 6.9.9 or 6.9.4.2
  • Implement input validation for FHIRPath expressions
  • Monitor FHIR Validator HTTP endpoint and affected modules for suspicious activity
  • Consider implementing rate limiting or IP blocking for FHIR Validator HTTP endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T22:17:16.893Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Limited information is available about the vulnerability, and further investigation is recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:16.893Z and has not been modified since then.