← back
CVE-2026-49120

Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint

CVSS 6.3 MEDIUMEPSS 0.2%CWE-918
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N
Affected products
medplum · medplum

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/medplum/medplum/commit/87595e98d756d840d70d9dc87beb9d4f9e158b59https://github.com/medplum/medplum/pull/9334https://github.com/medplum/medplum/releases/tag/v5.1.14https://www.vulncheck.com/advisories/medplum-ssrf-via-fhir-subscription-endpoint