CVE-2026-49120 - Vulnerability Details

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Medplum	Medplum

No data.

References

Link	Providers
https://github.com/medplum/medplum/commit/87595e98d756d840d70d9dc87beb9d4f9e158b59
https://github.com/medplum/medplum/pull/9334
https://github.com/medplum/medplum/releases/tag/v5.1.14
https://www.vulncheck.com/advisories/medplum-ssrf-via-fhir-subscription-endpoint

History

Wed, 03 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Medplum Medplum medplum
Vendors & Products		Medplum Medplum medplum

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads.
Title		Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint
Weaknesses		CWE-918
References		https://github.com/medplum/medplum/commit/87595e98d756d840d70d9dc87beb9d4f9e158b59 https://github.com/medplum/medplum/pull/9334 https://github.com/medplum/medplum/releases/tag/v5.1.14 https://www.vulncheck.com/advisories/medplum-ssrf-via-fhir-subscription-endpoint
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-02T18:05:09.825Z

Updated: 2026-06-03T13:19:50.892Z

Reserved: 2026-05-27T17:40:12.737Z

Link: CVE-2026-49120

Vulnrichment

Updated: 2026-06-03T13:19:47.007Z

NVD

Status : Received

Published: 2026-06-02T20:16:39.503

Modified: 2026-06-02T20:16:39.503

Link: CVE-2026-49120

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object