CVE-2026-40939

Vulnerability Description

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.

Vulnerability Details

Published Date

April 21, 2026

Last Modified

April 22, 2026

CWE ID

CWE-613

Source

NVD

Vendor

datasharingframework, dev.dsf

Product

dsf, dsf-bpe-server, dsf-common-jetty, dsf-fhir-server

External References

https://dsf.dev/operations/v2.1.0/bpe/oidc.html
https://dsf.dev/operations/v2.1.0/fhir/oidc.html
https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7
https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5

CVE-2026-40939

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment