CVE-2026-40942
MEDIUMDSF: Inverted Time Comparison in OIDC JWKS and Token Cache
Title source: cnaDescription
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634
X_Refsource_Misc x_refsource_misc
https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef
X_Refsource_Misc x_refsource_misc
https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908
Scores
CVSS v4
6.3
EPSS
0.0029
EPSS Percentile
20.6%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-670
Status
published
Products (5)
datasharingframework/dsf
< 2.1.0
dev.dsf/dsf-bpe-process-api-v2
0Maven
dev.dsf/dsf-bpe-process-api-v2
< 2.1.0
dev.dsf/dsf-bpe-server
0Maven
dev.dsf/dsf-bpe-server
< 2.1.0
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026