CVE-2026-40942

Name of the Vulnerable Software and Affected Versions Data Sharing Framework (DSF) versions prior to 2.1.0

Description The Data Sharing Framework (DSF) implements a distributed process engine based on BPMN 2.0 and FHIR R4 standards. An inverted time comparison (using isBefore instead of isAfter) in the OIDC JWKS and Metadata Document caches prevents the system from returning cached values, forcing a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the provider for every request. Additionally, an inverted time comparison in the OIDC token cache for FHIR client connections prevents cache invalidation, resulting in the system returning the same OIDC token even after it has expired.

Recommendations Update to version 2.1.0.