Back to search
CVE-2026-40939
Published: Apr 21, 2026
Modified: Apr 22, 2026
PUBLISHED
Description
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.
| Vendor | Product | Versions |
|---|---|---|
datasharingframework | dsf | affected < 2.1.0 |
dev.dsf | dsf-bpe-server | affected < 2.1.0 |
dev.dsf | dsf-common-jetty | affected < 2.1.0 |
dev.dsf | dsf-fhir-server | affected < 2.1.0 |
Weaknesses (CWE)
References
https://dsf.dev/operations/v2.1.0/bpe/oidc.html
x_refsource_MISC
https://dsf.dev/operations/v2.1.0/fhir/oidc.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now