Vulnerability in Datasharingframework Dsf

CVE-2026-40942

The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter)…

EPSS: 0.001 (18.1th percentile) — read the EPSS interpretation.

Affected products

Datasharingframework Dsf — versions < 2.1.0
Dev.dsf Dsf-bpe-process-api-v2 — versions < 2.1.0
Dev.dsf Dsf-bpe-server — versions < 2.1.0

Weakness classification (CWE)

CWE-670 — Always-Incorrect Control Flow Implementation

References

https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634 (x_refsource_CONFIRM)
https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef (x_refsource_MISC)
https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908 (x_refsource_MISC)