CVE-2026-40939
Persistent Session Vulnerability in DSF OIDC Authentication
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Data Sharing Framework (DSF) to version 2.1.0 or later, where the issue with OIDC-authenticated sessions persisting indefinitely has been fixed by configuring a maximum inactivity timeout.
Can you explain this vulnerability to me?
The vulnerability exists in the Data Sharing Framework (DSF) versions prior to 2.1.0, where OIDC-authenticated sessions did not have a configured maximum inactivity timeout.
As a result, sessions persisted indefinitely after login, even after the OIDC access token had expired.
This means that once a user logged in, their session could remain active without expiration due to inactivity, potentially allowing unauthorized continued access.
This issue was fixed in version 2.1.0 by introducing a maximum inactivity timeout for sessions.
How can this vulnerability impact me? :
This vulnerability can lead to prolonged unauthorized access because sessions remain active indefinitely after login, even if the OIDC access token expires.
An attacker or unauthorized user could exploit this by using an inactive session to access sensitive data or perform actions without re-authentication.
This increases the risk of data breaches or misuse of the system due to session persistence beyond intended limits.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allowed OIDC-authenticated sessions to persist indefinitely without a maximum inactivity timeout, even after the access token expired. Such indefinite session persistence can lead to unauthorized access risks and potential data exposure.
From a compliance perspective, this behavior could negatively impact adherence to standards and regulations like GDPR and HIPAA, which require appropriate session management and access controls to protect personal and health data.
The vulnerability was fixed in version 2.1.0 by introducing a maximum inactivity timeout, thereby improving compliance with these security requirements.