CVE-2026-40939

描述

### Affected Components DSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html). DSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html). ### Summary OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. ### Impact If a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations. Only affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication. ### Fix (commits f4ecb00, 7d25fea) - Added configurable session timeout via `dev.dsf.server.auth.oidc.session.timeout` (default: `PT30M`). - Enabled `logoutWhenIdTokenIsExpired(true)` in OpenID configuration to tie session lifetime to token lifetime. - Websocket sessions are now closed with `VIOLATED_POLICY` when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.

如何修補 CVE-2026-40939

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本
• —未列出修補版本
• —未列出修補版本

CVE-2026-40939 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(3)

• from 0
• from 0
• from 0

CVSS 分數

參考連結(7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40939
• PATCHgithub.com/datasharingframework/dsf
• WEBdsf.dev/operations/v2.1.0/bpe/oidc.html
• WEBdsf.dev/operations/v2.1.0/fhir/oidc.html
• WEB