Dependency Update Request: HAPI-FHIR ≥ 6.9.0 (CVE-2026-33180)

[irene-hase]

Hello,

while reviewing the dependency tree of the Reference Validator, I noticed that
HAPI-FHIR 6.6.2 is currently used (e.g. hapi-fhir-validation, converter, utilities).

Older HAPI-FHIR versions are affected by CVE-2026-33180
("HTTP authentication leak in redirects").
The validator is probably not directly affected by this issue, but updating to HAPI-FHIR ≥ 6.9.0 might still make sense.
It would also help in our case, as our security/dependency scans currently flag this CVE due to the older version.

Are there plans to update the dependency and publish a new release?

Thank you very much.

[madduci]

Hello @irene-hase

thank you for the message. We know that the project is actually affected by the CVE and an upgrade is being performed. Unfortunately, migrating form HAPI 6.6.2 to 8.8.1 brings new challenges and breaking changes and these are already being analyzed, since the Validation is stricter and some assumptions are not valid anymore.

A branch is already opened in this repository.

Once we've cleared with our cooperating partners that these changes are acceptable, we will publish a new version.

Thanks for your patience