CVE-2026-40942: CWE-670: Always-Incorrect Control Flow Implementation in datasharingframework dsf
CVE-2026-40942 affects the Data Sharing Framework (DSF) versions prior to 2. 1. 0. It involves incorrect time comparisons in the caching logic for OIDC JWKS and Metadata Document caches, causing these caches to never return cached values and thus trigger unnecessary HTTP fetches. Additionally, the OIDC token cache for FHIR client connections uses an inverted time comparison that prevents token invalidation, causing expired tokens to be reused. This vulnerability has a medium severity score of 6. 3 and is fixed in version 2. 1. 0.
AI Analysis
Technical Summary
The Data Sharing Framework (DSF) prior to version 2.1.0 contains a logic flaw in its caching mechanism for OIDC JWKS, Metadata Document, and token caches. Specifically, it uses an inverted time comparison (isBefore instead of isAfter), which results in the JWKS and Metadata Document caches never returning cached values, causing every request to fetch fresh data from the OIDC provider. Conversely, the OIDC token cache never invalidates tokens due to the same inverted comparison, causing expired tokens to be reused. This issue is classified under CWE-670 (Always-Incorrect Control Flow Implementation) and has been addressed in DSF version 2.1.0.
Potential Impact
The vulnerability causes inefficient cache behavior leading to unnecessary network requests for OIDC metadata and keys, potentially impacting performance. More critically, the token cache never invalidates expired tokens, which could lead to the use of stale authentication tokens. This may reduce the effectiveness of token expiration controls, potentially increasing the risk of unauthorized access if tokens are compromised or revoked. However, no known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to Data Sharing Framework version 2.1.0 or later, where this issue is fixed. Since the vendor advisory indicates the vulnerability is resolved in version 2.1.0, applying this official fix is the recommended remediation. No other mitigation steps are indicated.
CVE-2026-40942: CWE-670: Always-Incorrect Control Flow Implementation in datasharingframework dsf
Description
CVE-2026-40942 affects the Data Sharing Framework (DSF) versions prior to 2. 1. 0. It involves incorrect time comparisons in the caching logic for OIDC JWKS and Metadata Document caches, causing these caches to never return cached values and thus trigger unnecessary HTTP fetches. Additionally, the OIDC token cache for FHIR client connections uses an inverted time comparison that prevents token invalidation, causing expired tokens to be reused. This vulnerability has a medium severity score of 6. 3 and is fixed in version 2. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Data Sharing Framework (DSF) prior to version 2.1.0 contains a logic flaw in its caching mechanism for OIDC JWKS, Metadata Document, and token caches. Specifically, it uses an inverted time comparison (isBefore instead of isAfter), which results in the JWKS and Metadata Document caches never returning cached values, causing every request to fetch fresh data from the OIDC provider. Conversely, the OIDC token cache never invalidates tokens due to the same inverted comparison, causing expired tokens to be reused. This issue is classified under CWE-670 (Always-Incorrect Control Flow Implementation) and has been addressed in DSF version 2.1.0.
Potential Impact
The vulnerability causes inefficient cache behavior leading to unnecessary network requests for OIDC metadata and keys, potentially impacting performance. More critically, the token cache never invalidates expired tokens, which could lead to the use of stale authentication tokens. This may reduce the effectiveness of token expiration controls, potentially increasing the risk of unauthorized access if tokens are compromised or revoked. However, no known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to Data Sharing Framework version 2.1.0 or later, where this issue is fixed. Since the vendor advisory indicates the vulnerability is resolved in version 2.1.0, applying this official fix is the recommended remediation. No other mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.519Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7e91619fe3cd2cdfaec51
Added to database: 4/21/2026, 9:16:06 PM
Last enriched: 4/21/2026, 9:32:06 PM
Last updated: 4/21/2026, 11:48:35 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.