Session Management Flaw in Data Sharing Framework by Data Sharing Framework Team
CVE-2026-40939

6.8MEDIUM

Key Information:

Vendor

Datasharingframework

Status
Dsf
Dsf-bpe-server
Dsf-common-jetty
Dsf-fhir-server
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40939?

The Data Sharing Framework (DSF) prior to version 2.1.0 is subject to a session management vulnerability where OIDC-authenticated sessions do not have a set maximum inactivity timeout. This flaw allows sessions to persist indefinitely post-login, which can lead to unauthorized access even after the OIDC access token has expired. The vulnerability has been addressed in the latest update, reinforcing session timeout configurations to enhance overall security.

Affected Version(s)

dsf < 2.1.0

dsf-bpe-server < 2.1.0

dsf-common-jetty < 2.1.0

References

https://github.com/datasharingframework/dsf/security/advi...
x_refsource_CONFIRM
https://github.com/datasharingframework/dsf/commit/f4ecb0...
x_refsource_MISC
https://dsf.dev/operations/v2.1.0/bpe/oidc.html
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Physical
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.