CVE-2026-40942 | datasharingframework dsf/dsf-bpe-process-api-v2/dsf-bpe-server up to 2.0.x OIDC Provider control flow (GHSA-xmj9-7625-f634)
VulDBArchived Apr 22, 2026✓ Full text saved
A vulnerability, which was classified as problematic , has been found in datasharingframework dsf, dsf-bpe-process-api-v2 and dsf-bpe-server up to 2.0.x . This affects an unknown function of the component OIDC Provider Handler . The manipulation leads to incorrect control flow. This vulnerability is documented as CVE-2026-40942 . The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-358752 · CVE-2026-40942 · GHSA-XMJ9-7625-F634
DATASHARINGFRAMEWORK DSF/DSF-BPE-PROCESS-API-V2/DSF-BPE-SERVER UP TO 2.0.X OIDC PROVIDER CONTROL FLOW
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
5.1 $0-$5k 1.80+
Summaryinfo
A vulnerability, which was classified as problematic, was found in datasharingframework dsf, dsf-bpe-process-api-v2 and dsf-bpe-server up to 2.0.x. This impacts an unknown function of the component OIDC Provider Handler. The manipulation results in control flow. This vulnerability is reported as CVE-2026-40942. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.
Detailsinfo
A vulnerability, which was classified as problematic, was found in datasharingframework dsf, dsf-bpe-process-api-v2 and dsf-bpe-server up to 2.0.x. Affected is some unknown functionality of the component OIDC Provider Handler. The manipulation with an unknown input leads to a control flow vulnerability. CWE is classifying the issue as CWE-670. The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This is going to have an impact on availability. CVE summarizes:
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-40942 since 04/15/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.
Upgrading to version 2.1.0 eliminates this vulnerability. Applying the patch 31c2e974dfd4351756104ee8c53dbcd666192fef is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Productinfo
Type
Automation Software
Vendor
datasharingframework
Name
dsf
dsf-bpe-process-api-v2
dsf-bpe-server
Version
2.0
License
open-source
Website
Product: https://github.com/datasharingframework/dsf/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3info
VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Control flow
CWE: CWE-670
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: dsf/dsf-bpe-process-api-v2/dsf-bpe-server 2.1.0
Patch: 31c2e974dfd4351756104ee8c53dbcd666192fef
Timelineinfo
04/15/2026 CVE reserved
04/22/2026 +7 days Advisory disclosed
04/22/2026 +0 days VulDB entry created
04/22/2026 +0 days VulDB entry last update
Sourcesinfo
Product: github.com
Advisory: GHSA-xmj9-7625-f634
Status: Confirmed
CVE: CVE-2026-40942 (🔒)
GCVE (CVE): GCVE-0-2026-40942
GCVE (VulDB): GCVE-100-358752
Entryinfo
Created: 04/22/2026 07:29
Changes: 04/22/2026 07:29 (70)
Complete: 🔍
Cache ID: 99:CC6:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸