Description
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.
Published: 2026-04-21
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Unauthorized Session Abuse
Action: Patch Immediately
AI Analysis

Impact

The Data Sharing Framework gave OIDC‑authenticated users no inactivity timeout before version 2.1.0. Consequently, a user who logged in could maintain an active session even once the underlying OIDC access token had expired. The vulnerability presents a classic absence‑of‑session‑termination weakness (CWE‑613) that enables an attacker or an abuse of an existing session to continue accessing protected resources without further authentication.

Affected Systems

Affected consumers include deployments of datasharingframework:dsf, dev.dsf:dsf‑bpe‑server, dev.dsf:dsf‑common‑jetty, and dev.dsf:dsf‑fhir‑server. All releases prior to 2.1.0 are impacted. Version 2.1.0 and later contain the session‑timeout fix.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation data. Based on the description, it is inferred that attackers could exploit this via the web interface or API after initially authenticating, keeping the session alive indefinitely and bypassing time‑based access controls. The risk is primarily to confidentiality and integrity of the resources accessed during the lingering session.

Generated by OpenCVE AI on April 22, 2026 at 07:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the DSF update to version 2.1.0 or later to enforce a session timeout.
  • Configure explicit inactivity timeouts for OIDC sessions on the application level if using a custom deployment that cannot be immediately updated.
  • Audit session handling to confirm that expired OIDC tokens are not accepted as a valid session.

Generated by OpenCVE AI on April 22, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gj7p-595x-qwf5 Data Sharing Framework is Missing Session Timeout for OIDC Sessions
History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Datasharingframework
Datasharingframework dsf
Dev.dsf
Dev.dsf dsf-bpe-server
Dev.dsf dsf-common-jetty
Dev.dsf dsf-fhir-server
Vendors & Products Datasharingframework
Datasharingframework dsf
Dev.dsf
Dev.dsf dsf-bpe-server
Dev.dsf dsf-common-jetty
Dev.dsf dsf-fhir-server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.
Title DSF: Missing Session Timeout for OIDC Sessions
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Datasharingframework Dsf
Dev.dsf Dsf-bpe-server Dsf-common-jetty Dsf-fhir-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T17:44:03.707Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40939

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:19.547

Modified: 2026-04-21T22:16:19.547

Link: CVE-2026-40939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:03Z

Weaknesses