Description
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5
X_Refsource_Misc x_refsource_misc
https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7
X_Refsource_Misc x_refsource_misc
https://dsf.dev/operations/v2.1.0/bpe/oidc.html
X_Refsource_Misc x_refsource_misc
https://dsf.dev/operations/v2.1.0/fhir/oidc.html
Scores
CVSS v4
6.8
EPSS
0.0015
EPSS Percentile
4.9%
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (7)
datasharingframework/dsf
< 2.1.0
dev.dsf/dsf-bpe-server
0Maven
dev.dsf/dsf-bpe-server
< 2.1.0
dev.dsf/dsf-common-jetty
0Maven
dev.dsf/dsf-common-jetty
< 2.1.0
dev.dsf/dsf-fhir-server
0Maven
dev.dsf/dsf-fhir-server
< 2.1.0
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026