CVE-2026-40942
Received Received - Intake
Cache Logic Flaws in DSF OIDC Components Cause Token and Metadata Issues

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40942
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Data Sharing Framework (DSF) prior to version 2.1.0. It involves incorrect time comparisons in caching mechanisms for OIDC JWKS and Metadata Document caches, as well as the OIDC token cache for FHIR client connections.

Specifically, the caches used an inverted time comparison (using isBefore instead of isAfter), which caused the JWKS and Metadata Document caches to never return cached values, forcing a fresh HTTP fetch on every request.

Additionally, the OIDC token cache never invalidated tokens because of the same inverted time comparison, causing every request to return the same OIDC token even if it was expired.

This flaw was fixed in version 2.1.0 of the DSF.

Impact Analysis

Because the JWKS and Metadata Document caches never return cached values, every incoming request triggers a fresh HTTP fetch from the OIDC provider, which can lead to increased latency and higher load on the OIDC provider.

More critically, the OIDC token cache never invalidates expired tokens, meaning that expired tokens may be accepted and reused, potentially allowing unauthorized access or session continuation beyond intended expiration.

This can lead to security risks such as unauthorized access to protected resources or data, and performance degradation due to excessive network requests.

Mitigation Strategies

The vulnerability is fixed in version 2.1.0 of the Data Sharing Framework (DSF). To mitigate this vulnerability, you should upgrade your DSF installation to version 2.1.0 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart