CVE-2026-49120
8.5 HIGHMedplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to ...
Published: 2026-06-02 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 8.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
- CWE
- CWE-918
Description
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49120
- [Other]https://github.com/medplum/medplum/commit/87595e98d756d840d70d9dc87beb9d4f9e158b59
- [Other]https://github.com/medplum/medplum/pull/9334
- [Other]https://github.com/medplum/medplum/releases/tag/v5.1.14
- [Other]https://www.vulncheck.com/advisories/medplum-ssrf-via-fhir-subscription-endpoint
Related CVEs
Same CWE
- CVE-2026-12210 — A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0 (6.3 MEDIUM)
- CVE-2026-53827 — OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata ... (6.5 MEDIUM)
- CVE-2026-47268 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.4 MEDIUM)
- CVE-2026-46717 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.7 HIGH)
- CVE-2026-53607 — ApostropheCMS is an open-source Node.js content management system (3.7 LOW)