CVE-2026-1842 - Vulnerability Details

CVE-2026-1842 - HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://advisories.softiron.cloud/

History

Fri, 20 Feb 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
Title		HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access
Weaknesses		CWE-613
References		https://advisories.softiron.cloud/
Metrics		cvssV4_0 `{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: SoftIron

Published: 2026-02-20T16:23:16.498Z

Updated: 2026-02-20T18:54:48.311Z

Reserved: 2026-02-03T17:15:55.203Z

Link: CVE-2026-1842

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-20T17:25:50.780

Modified: 2026-02-20T18:57:15.973

Link: CVE-2026-1842

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object