CVE-2026-40939 PUBLISHED

DSF: Missing Session Timeout for OIDC Sessions

Assigner: GitHub_M
Reserved: 15.04.2026 Published: 21.04.2026 Updated: 21.04.2026

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.

Metrics

CVSS Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.8

Product Status

Vendor datasharingframework
Product dsf
Versions
  • Version < 2.1.0 is affected
Vendor dev.dsf
Product dsf-bpe-server
Versions
  • Version < 2.1.0 is affected
Vendor dev.dsf
Product dsf-common-jetty
Versions
  • Version < 2.1.0 is affected
Vendor dev.dsf
Product dsf-fhir-server
Versions
  • Version < 2.1.0 is affected

References

Problem Types

  • CWE-613: Insufficient Session Expiration CWE