CVE-2026-40942

Source
https://cve.org/CVERecord?id=CVE-2026-40942
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40942.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40942
Aliases
Published
2026-04-21T21:09:44.537Z
Modified
2026-07-08T08:15:01.696035102Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
DSF: Inverted Time Comparison in OIDC JWKS and Token Cache
Details

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40942.json",
    "cwe_ids": [
        "CWE-670"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/datasharingframework/dsf

Affected ranges

Type
GIT
Repo
https://github.com/datasharingframework/dsf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40942.json"