CVE-2026-49120
Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint
CVSS Score
8.5
EPSS Score
0.0%
EPSS Percentile
0th
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.
| CWE | CWE-918 |
| Vendor | medplum |
| Product | medplum |
| Published | Jun 2, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for medplum medplum
Be the first to know when new high vulnerabilities affecting medplum medplum are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
medplum / medplum
0 < 5.1.14
References
github.com: https://github.com/medplum/medplum/releases/tag/v5.1.14 github.com: https://github.com/medplum/medplum/pull/9334 github.com: https://github.com/medplum/medplum/commit/87595e98d756d840d70d9dc87beb9d4f9e158b59 vulncheck.com: https://www.vulncheck.com/advisories/medplum-ssrf-via-fhir-subscription-endpoint
Credits
Katriel Moses VulnCheck