{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40939", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.518Z", "datePublished": "2026-04-21T21:07:10.503Z", "dateUpdated": "2026-04-22T17:44:03.707Z"}, "containers": {"cna": {"title": "DSF: Missing Session Timeout for OIDC Sessions", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"}, {"name": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7", "tags": ["x_refsource_MISC"], "url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7"}, {"name": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html", "tags": ["x_refsource_MISC"], "url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html"}, {"name": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html", "tags": ["x_refsource_MISC"], "url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html"}], "affected": [{"vendor": "datasharingframework", "product": "dsf", "versions": [{"version": "< 2.1.0", "status": "affected"}]}, {"vendor": "dev.dsf", "product": "dsf-bpe-server", "versions": [{"version": "< 2.1.0", "status": "affected"}]}, {"vendor": "dev.dsf", "product": "dsf-common-jetty", "versions": [{"version": "< 2.1.0", "status": "affected"}]}, {"vendor": "dev.dsf", "product": "dsf-fhir-server", "versions": [{"version": "< 2.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T21:07:10.503Z"}, "descriptions": [{"lang": "en", "value": "The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0."}], "source": {"advisory": "GHSA-gj7p-595x-qwf5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:43:47.019567Z", "id": "CVE-2026-40939", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:44:03.707Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "DSF: Missing Session Timeout for OIDC Sessions", "source": {"advisory": "GHSA-gj7p-595x-qwf5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "datasharingframework", "product": "dsf", "versions": [{"status": "affected", "version": "< 2.1.0"}]}, {"vendor": "dev.dsf", "product": "dsf-bpe-server", "versions": [{"status": "affected", "version": "< 2.1.0"}]}, {"vendor": "dev.dsf", "product": "dsf-common-jetty", "versions": [{"status": "affected", "version": "< 2.1.0"}]}, {"vendor": "dev.dsf", "product": "dsf-fhir-server", "versions": [{"status": "affected", "version": "< 2.1.0"}]}], "references": [{"url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5", "name": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7", "name": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7", "tags": ["x_refsource_MISC"]}, {"url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html", "name": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html", "tags": ["x_refsource_MISC"]}, {"url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html", "name": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T21:07:10.503Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40939", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T17:43:47.019567Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-22T17:43:59.508Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40939", "state": "PUBLISHED", "dateUpdated": "2026-04-21T21:07:10.503Z", "dateReserved": "2026-04-15T20:40:15.518Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T21:07:10.503Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0."}], "id": "CVE-2026-40939", "lastModified": "2026-04-29T20:57:57.230", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T22:16:19.547", "references": [{"source": "security-advisories@github.com", "url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html"}, {"source": "security-advisories@github.com", "url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html"}, {"source": "security-advisories@github.com", "url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7"}, {"source": "security-advisories@github.com", "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dsf", "source": "cna", "vendor": "datasharingframework"}, "product": "dsf", "vendor": "datasharingframework"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dsf-bpe-server", "source": "cna", "vendor": "dev.dsf"}, "product": "dsf-bpe-server", "vendor": "dev.dsf"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dsf-common-jetty", "source": "cna", "vendor": "dev.dsf"}, "product": "dsf-common-jetty", "vendor": "dev.dsf"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dsf-fhir-server", "source": "cna", "vendor": "dev.dsf"}, "product": "dsf-fhir-server", "vendor": "dev.dsf"}], "analysis": {"en": {"generated_at": "2026-04-22T07:27:05.018171+00:00", "value": {"mitigation_remediation": ["Apply the DSF update to version 2.1.0 or later to enforce a session timeout.", "Configure explicit inactivity timeouts for OIDC sessions on the application level if using a custom deployment that cannot be immediately updated.", "Audit session handling to confirm that expired OIDC tokens are not accepted as a valid session."], "summary": {"action": "Patch Immediately", "impact": "Persistent Unauthorized Session Abuse"}, "threat_synthesis": {"affected_systems": "Affected consumers include deployments of datasharingframework:dsf, dev.dsf:dsf\u2011bpe\u2011server, dev.dsf:dsf\u2011common\u2011jetty, and dev.dsf:dsf\u2011fhir\u2011server. All releases prior to 2.1.0 are impacted. Version 2.1.0 and later contain the session\u2011timeout fix.", "description_and_impact": "The Data Sharing Framework gave OIDC\u2011authenticated users no inactivity timeout before version 2.1.0. Consequently, a user who logged in could maintain an active session even once the underlying OIDC access token had expired. The vulnerability presents a classic absence\u2011of\u2011session\u2011termination weakness (CWE\u2011613) that enables an attacker or an abuse of an existing session to continue accessing protected resources without further authentication.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation data. Based on the description, it is inferred that attackers could exploit this via the web interface or API after initially authenticating, keeping the session alive indefinitely and bypassing time\u2011based access controls. The risk is primarily to confidentiality and integrity of the resources accessed during the lingering session."}}}}, "created": "2026-04-22T07:30:11.594372+00:00", "updated": "2026-04-22T11:45:03.802859+00:00", "vendors": ["datasharingframework", "datasharingframework$PRODUCT$dsf", "dev.dsf", "dev.dsf$PRODUCT$dsf-bpe-server", "dev.dsf$PRODUCT$dsf-common-jetty", "dev.dsf$PRODUCT$dsf-fhir-server"]}