CVE-2026-40939

Name of the Vulnerable Software and Affected Versions Data Sharing Framework versions prior to 2.1.0

Description OIDC-authenticated sessions lack a configured maximum inactivity timeout, allowing sessions to persist indefinitely after login, even after the OIDC access token has expired. This allows a different person using the same browser to access the UI with the previous user's permissions if the user did not explicitly log out, which is a significant risk in environments with shared workstations. This issue specifically affects OIDC browser sessions and does not impact mTLS machine-to-machine communication.

Recommendations Update to version 2.1.0. Configure the session timeout using the dev.dsf.server.auth.oidc.session.timeout variable. Enable logoutWhenIdTokenIsExpired(true) in the OpenID configuration to link session lifetime to token lifetime.