Inverted Time Comparison Issue in Data Sharing Framework by Data Sharing Framework
CVE-2026-40942

6.3MEDIUM

Key Information:

Vendor

Datasharingframework

Status
Dsf
Dsf-bpe-process-api-v2
Dsf-bpe-server
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40942?

The Data Sharing Framework (DSF) exhibits a vulnerability due to an incorrect implementation of time comparisons in its caching mechanism for OpenID Connect (OIDC) JSON Web Key Set (JWKS) and Metadata Documents. Prior to version 2.1.0, this flaw resulted in the cache failing to return valid cached values, leading to every incoming request triggering a new HTTP fetch of the required documents. Furthermore, the OIDC token cache used in FHIR client connections suffered from similar issues, where expired tokens were repeatedly returned due to the same flawed comparison logic. This could potentially compromise session security by allowing the reuse of invalidated tokens. The issue has been addressed in version 2.1.0.

Affected Version(s)

dsf < 2.1.0

dsf-bpe-process-api-v2 < 2.1.0

dsf-bpe-server < 2.1.0

References

https://github.com/datasharingframework/dsf/security/advi...
x_refsource_CONFIRM
https://github.com/datasharingframework/dsf/commit/31c2e9...
x_refsource_MISC
https://github.com/datasharingframework/dsf/commit/d3ca59...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.