A vulnerability classified as problematic has been found in hapifhir HAPI FHIR up to 6.9.6. Affected by this issue is the function matches/matchesFull/replaceMatches of the component FHIRPathEngine. This manipulation causes incorrect regular expression.

This vulnerability is tracked as CVE-2026-45367. The attack is possible to be carried out remotely. No exploit exists.