Description

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.

INFO

Published Date :

2026-04-21T21:09:44.537Z

Last Modified :

2026-04-22T18:11:33.794Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40942 vulnerability.

Vendors Products
Datasharingframework
  • Dsf
Dev.dsf
  • Dsf-bpe-process-api-v2
  • Dsf-bpe-server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40942.

URL Resource
https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef cve-icon cve-icon
https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908 cve-icon cve-icon
https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability