CVE-2026-40939

DSF: Missing Session Timeout for OIDC Sessions

Description

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.

INFO

Published Date :

2026-04-21T21:07:10.503Z

Last Modified :

2026-04-22T17:44:03.707Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-40939 vulnerability.

Vendors	Products
Datasharingframework	Dsf
Dev.dsf	Dsf-bpe-server Dsf-common-jetty Dsf-fhir-server

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40939.

URL	Resource
https://dsf.dev/operations/v2.1.0/bpe/oidc.html
https://dsf.dev/operations/v2.1.0/fhir/oidc.html
https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7
https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability