← voltar
CVE-2026-40939

DSF: Missing Session Timeout for OIDC Sessions

CVSS 6.8 MEDIUMEPSS 0.2%CWE-613
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
21 abr 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0.
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Produtos afetados
datasharingframework · dsfdev.dsf · dsf-bpe-serverdev.dsf · dsf-common-jettydev.dsf · dsf-fhir-server

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://dsf.dev/operations/v2.1.0/bpe/oidc.htmlhttps://dsf.dev/operations/v2.1.0/fhir/oidc.htmlhttps://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5