CVE-2026-40942: Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache
(updated )
- The OIDC JWKS and Metadata Document caches used an inverted time comparison (
isBeforeinstead ofisAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. - The OIDC token cache for the FHIR client connections used an inverted time comparison (
isBeforeinstead ofisAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired.
References
- github.com/advisories/GHSA-xmj9-7625-f634
- github.com/datasharingframework/dsf
- github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef
- github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908
- github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634
- nvd.nist.gov/vuln/detail/CVE-2026-40942
Code Behaviors & Features
Detect and mitigate CVE-2026-40942 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →