GHSA-GJ7P-595X-QWF5

Vulnerability from github – Published: 2026-04-15 19:19 – Updated: 2026-04-16 21:41
VLAI?
Summary
Data Sharing Framework is Missing Session Timeout for OIDC Sessions
Details

Affected Components

DSF FHIR Server with enabled OIDC authentication. DSF BPE Server with enabled OIDC authentication.

Summary

OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.

Impact

If a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations.

Only affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.

Fix (commits f4ecb00, 7d25fea)

  • Added configurable session timeout via dev.dsf.server.auth.oidc.session.timeout (default: PT30M).
  • Enabled logoutWhenIdTokenIsExpired(true) in OpenID configuration to tie session lifetime to token lifetime.
  • Websocket sessions are now closed with VIOLATED_POLICY when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.
Severity ?
6.8 (Medium)
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-common-jetty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-fhir-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "dev.dsf:dsf-bpe-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:19:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Affected Components\nDSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\nDSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n\n### Summary\nOIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.\n\n### Impact\nIf a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user\u0027s permissions. This is a realistic threat in hospital environments with shared workstations.\n\nOnly affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.\n\n### Fix (commits f4ecb00, 7d25fea)\n- Added configurable session timeout via `dev.dsf.server.auth.oidc.session.timeout` (default: `PT30M`).\n- Enabled `logoutWhenIdTokenIsExpired(true)` in OpenID configuration to tie session lifetime to token lifetime.\n- Websocket sessions are now closed with `VIOLATED_POLICY` when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.",
  "id": "GHSA-gj7p-595x-qwf5",
  "modified": "2026-04-16T21:41:52Z",
  "published": "2026-04-15T19:19:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/commit/7d25feafb83d66cb59985ac88568b67d937b1937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7"
    },
    {
      "type": "WEB",
      "url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html"
    },
    {
      "type": "WEB",
      "url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/datasharingframework/dsf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Data Sharing Framework is Missing Session Timeout for OIDC Sessions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.