SCA: security update for ca.uhn.hapi.fhir:org.hl7.fhir.convertors, ca.uhn.hapi.fhir:org.hl7.fhir.dstu2, ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may, ca.uhn.hapi.fhir:org.hl7.fhir.dstu3, ca.uhn.hapi.fhir:org.hl7.fhir.dstu3.support, ca.uhn.hapi.fhir:org.hl7.fhir.model, ca.uhn.hapi.fhir:org.hl7.fhir.r4, ca.uhn.hapi.fhir:org.hl7.fhir.r4b, ca.uhn.hapi.fhir:org.hl7.fhir.r5, ca.uhn.hapi.fhir:org.hl7.fhir.utilities, ca.uhn.hapi.fhir:org.hl7.fhir.validation, ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli (GHSA-p7m9-v2cm-2h7m)

high Tenable Cloud Security Plugin ID 438974

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java.
Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers
first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code
is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of
headers to subsequent hosts is a problem as this header often contains privacy sensitive information or
data that could allow others to impersonate the client's request. This issue has been patched in release
6.9.0. No known workarounds are available. (CVE-2026-33180)

Solution

Update the ca.uhn.hapi.fhir:org.hl7.fhir.convertors library and its related packages to version 6.9.0 or later.

See Also

https://github.com/advisories/GHSA-p7m9-v2cm-2h7m

Plugin Details

Severity: High

ID: 438974

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 3/19/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.98

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33180

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-33180

cwe: CWE-200