## High-Severity CVE-2026-24880 Exposes Apache Tomcat Core in HAPI FHIR Spring Boot Projects
A high-severity vulnerability, CVE-2026-24880, has been detected in the core Apache Tomcat library embedded within multiple HAPI FHIR Spring Boot sample projects. This critical security flaw resides in the `tomcat-embed-core-10.1.52.jar` file, a foundational component for running Java web applications. The vulnerability's presence in these healthcare interoperability frameworks raises immediate security concerns for any development or deployment environments using these specific samples.

The vulnerable library is directly pulled in as a transitive dependency through the `spring-boot-starter-tomcat` package within the `spring-boot-starter-web` library. It has been identified in the dependency trees of at least three key HAPI FHIR sample projects: the `hapi-fhir-spring-boot-sample-client-okhttp`, `hapi-fhir-spring-boot-sample-client-apache`, and `hapi-fhir-spring-boot-sample-server-jersey`. The path traces directly back to the projects' `pom.xml` files, indicating the vulnerability is baked into the standard build configuration for these reference implementations.

This exposure places any system built from these widely used healthcare IT samples at potential risk until the underlying Tomcat dependency is patched. The integration of a vulnerable core server component into FHIR (Fast Healthcare Interoperability Resources) tooling, which handles sensitive patient data, significantly amplifies the stakes. It signals a pressing need for developers and organizations in the health tech sector to audit their HAPI FHIR-based stacks, scrutinize their dependency chains, and apply security updates to mitigate this high-severity threat.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Apache Tomcat, HAPI FHIR, Spring Boot, Vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-20 16:23:13
- **ID**: 72731
- **URL**: https://whisperx.ai/en/intel/72731