CVE-2026-40942

UNKNOWN 0.0

DSF: Inverted Time Comparison in OIDC JWKS and Token Cache

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.

CWE	CWE-670
Vendor	datasharingframework
Product	dsf
Published	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for datasharingframework dsf

Be the first to know when new unknown vulnerabilities affecting datasharingframework dsf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

datasharingframework / dsf

< 2.1.0

dev.dsf / dsf-bpe-process-api-v2

< 2.1.0

dev.dsf / dsf-bpe-server

< 2.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634 github.com: https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef github.com: https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908