CVE-2026-40939: CWE-613: Insufficient Session Expiration in datasharingframework dsf
CVE-2026-40939 is a vulnerability in the Data Sharing Framework (DSF) versions prior to 2. 1. 0 where OIDC-authenticated sessions did not have a maximum inactivity timeout configured. As a result, sessions persisted indefinitely after login, even after the OIDC access token expired. This issue was fixed in version 2. 1. 0. The vulnerability is classified as CWE-613 (Insufficient Session Expiration) and has a CVSS 4. 0 base score of 6. 8, indicating medium severity.
AI Analysis
Technical Summary
The Data Sharing Framework (DSF) implements a distributed process engine based on BPMN 2.0 and FHIR R4 standards. In versions before 2.1.0, DSF's OIDC-authenticated sessions lacked a configured maximum inactivity timeout, causing sessions to persist indefinitely after login despite expiration of the OIDC access token. This insufficient session expiration can lead to prolonged unauthorized access if session tokens are not properly invalidated. The vulnerability is addressed by configuring appropriate session timeouts in DSF version 2.1.0.
Potential Impact
Affected DSF versions prior to 2.1.0 allow OIDC-authenticated sessions to remain active indefinitely after login, even when the OIDC access token has expired. This can result in unauthorized prolonged access to the system if session tokens are compromised or not properly invalidated, increasing the risk of session hijacking or misuse. The CVSS score of 6.8 reflects a medium severity impact with high confidentiality and integrity impact vectors.
Mitigation Recommendations
Upgrade to Data Sharing Framework version 2.1.0 or later, where the vulnerability is fixed by implementing a maximum inactivity timeout for OIDC-authenticated sessions. No other mitigation is indicated or required as the fix is available in the official release.
CVE-2026-40939: CWE-613: Insufficient Session Expiration in datasharingframework dsf
Description
CVE-2026-40939 is a vulnerability in the Data Sharing Framework (DSF) versions prior to 2. 1. 0 where OIDC-authenticated sessions did not have a maximum inactivity timeout configured. As a result, sessions persisted indefinitely after login, even after the OIDC access token expired. This issue was fixed in version 2. 1. 0. The vulnerability is classified as CWE-613 (Insufficient Session Expiration) and has a CVSS 4. 0 base score of 6. 8, indicating medium severity.
CVSS v4.0
Score 6.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Data Sharing Framework (DSF) implements a distributed process engine based on BPMN 2.0 and FHIR R4 standards. In versions before 2.1.0, DSF's OIDC-authenticated sessions lacked a configured maximum inactivity timeout, causing sessions to persist indefinitely after login despite expiration of the OIDC access token. This insufficient session expiration can lead to prolonged unauthorized access if session tokens are not properly invalidated. The vulnerability is addressed by configuring appropriate session timeouts in DSF version 2.1.0.
Potential Impact
Affected DSF versions prior to 2.1.0 allow OIDC-authenticated sessions to remain active indefinitely after login, even when the OIDC access token has expired. This can result in unauthorized prolonged access to the system if session tokens are compromised or not properly invalidated, increasing the risk of session hijacking or misuse. The CVSS score of 6.8 reflects a medium severity impact with high confidentiality and integrity impact vectors.
Mitigation Recommendations
Upgrade to Data Sharing Framework version 2.1.0 or later, where the vulnerability is fixed by implementing a maximum inactivity timeout for OIDC-authenticated sessions. No other mitigation is indicated or required as the fix is available in the official release.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.518Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7e91619fe3cd2cdfaec4b
Added to database: 4/21/2026, 9:16:06 PM
Last enriched: 4/29/2026, 11:14:24 AM
Last updated: 6/5/2026, 11:05:29 PM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.