Description
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
Published: 2026-04-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via Stale OIDC Tokens
Action: Patch Immediately
AI Analysis

Impact

The Data Sharing Framework implements caching for OIDC JWKS, metadata, and token values. In versions before 2.1.0 the logic used an inverted time comparison, causing cached entries to never be regarded as valid and, for the token cache, never to be invalidated. As a result, each request triggers a fetch of the OIDC metadata and JWKS keys, and every request is served with the same expired token. An attacker can exploit this flaw by simply continuing to send requests, thereby maintaining unauthorized access with tokens that should have been rejected. The core weakness is a misuse of time comparison, identified as CWE‑670.

Affected Systems

This flaw affects the Data Sharing Framework by datasharingframework, specifically the dsf‑bpe‑process‑api‑v2 and dsf‑bpe‑server components. All releases older than 2.1.0 are vulnerable; 2.1.0 and later include the fix.

Risk and Exploitability

The CVSS score of 6.3 classifies the issue as moderate. The vulnerability is exploitable over remote HTTP traffic to DSF services. No EPSS data is available and the issue is not listed in the CISA KEV catalog, so known exploitation is not documented. Nevertheless, any party able to issue repeated requests can leverage the expired‑token reuse to gain authorized data access or potentially elevate privileges.

Generated by OpenCVE AI on April 22, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Data Sharing Framework to version 2.1.0 or later and deploy the release to all affected instances.
  • Restart the DSF services after upgrading to clear any stale in‑memory caches and ensure fresh fetches of OIDC metadata and JWKS keys.
  • Revoke or regenerate OIDC tokens for all clients to force them to obtain fresh, valid tokens from the provider.

Generated by OpenCVE AI on April 22, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Datasharingframework
Datasharingframework dsf
Dev.dsf
Dev.dsf dsf-bpe-process-api-v2
Dev.dsf dsf-bpe-server
Vendors & Products Datasharingframework
Datasharingframework dsf
Dev.dsf
Dev.dsf dsf-bpe-process-api-v2
Dev.dsf dsf-bpe-server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
Title DSF: Inverted Time Comparison in OIDC JWKS and Token Cache
Weaknesses CWE-670
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Datasharingframework Dsf
Dev.dsf Dsf-bpe-process-api-v2 Dsf-bpe-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T21:09:44.537Z

Reserved: 2026-04-15T20:40:15.519Z

Link: CVE-2026-40942

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:19.700

Modified: 2026-04-21T22:16:19.700

Link: CVE-2026-40942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:02Z

Weaknesses