{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1842", "assignerOrgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "state": "PUBLISHED", "assignerShortName": "SoftIron", "dateReserved": "2026-02-03T17:15:55.203Z", "datePublished": "2026-02-20T16:23:16.498Z", "dateUpdated": "2026-02-20T18:54:48.311Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HyperCloud", "vendor": "SoftIron", "versions": [{"lessThan": "2.6.9", "status": "affected", "version": "2.3.5", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.<br>"}], "value": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed."}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.2, "baseSeverity": "MEDIUM", "exploitMaturity": "UNREPORTED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "shortName": "SoftIron", "dateUpdated": "2026-02-20T16:23:16.498Z"}, "references": [{"url": "https://advisories.softiron.cloud/"}], "source": {"discovery": "UNKNOWN"}, "title": "HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T18:53:42.171662Z", "id": "CVE-2026-1842", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T18:54:48.311Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1842", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T18:53:42.171662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T18:54:37.181Z"}}], "cna": {"title": "HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SoftIron", "product": "HyperCloud", "versions": [{"status": "affected", "version": "2.3.5", "lessThan": "2.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://advisories.softiron.cloud/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.", "supportingMedia": [{"type": "text/html", "value": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "shortName": "SoftIron", "dateUpdated": "2026-02-20T16:23:16.498Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1842", "state": "PUBLISHED", "dateUpdated": "2026-02-20T18:54:48.311Z", "dateReserved": "2026-02-03T17:15:55.203Z", "assignerOrgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "datePublished": "2026-02-20T16:23:16.498Z", "assignerShortName": "SoftIron"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed."}, {"lang": "es", "value": "Las versiones 2.3.5 a 2.6.8 de HyperCloud permitieron indebidamente que los tokens de actualizaci\u00f3n se usaran directamente para el acceso a recursos y no invalidaron los tokens de acceso emitidos previamente cuando se usaba un token de actualizaci\u00f3n. Debido a que los tokens de actualizaci\u00f3n tienen una vida \u00fatil significativamente m\u00e1s larga (un a\u00f1o por defecto), un cliente autenticado podr\u00eda usar un token de actualizaci\u00f3n en lugar de un token de acceso para mantener un acceso a largo plazo sin rotaci\u00f3n de tokens. Adem\u00e1s, los tokens de acceso antiguos permanecieron v\u00e1lidos despu\u00e9s de la actualizaci\u00f3n, lo que permit\u00eda un uso concurrente o extendido m\u00e1s all\u00e1 de los l\u00edmites de sesi\u00f3n previstos. Esta vulnerabilidad podr\u00eda permitir un acceso no autorizado prolongado si un token es revelado."}], "id": "CVE-2026-1842", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "type": "Secondary"}]}, "published": "2026-02-20T17:25:50.780", "references": [{"source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "url": "https://advisories.softiron.cloud/"}], "sourceIdentifier": "0a72a055-908d-47f5-a16a-1f09049c16c6", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.5,2.6.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "HyperCloud", "source": "cna", "vendor": "SoftIron"}, "product": "hypercloud", "vendor": "softiron"}], "analysis": {"en": {"generated_at": "2026-04-17T17:21:43.248363+00:00", "value": {"mitigation_remediation": ["Upgrade HyperCloud to a version newer than 2.6.8 that corrects token validation and access\u2011token invalidation", "Force revocation of all current access and refresh tokens and require users to re\u2011authenticate with fresh tokens", "Implement stricter token handling rules so that refresh tokens can only be exchanged for access tokens and are not treated as direct resource credentials"], "summary": {"action": "Patch promptly", "impact": "Long\u2011term unauthorized access via reused refresh tokens"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SoftIron\u2019s HyperCloud platform, specifically versions 2.3.5 through 2.6.8.", "description_and_impact": "HyperCloud versions 2.3.5 through 2.6.8 allowed refresh tokens to be used directly for resource access while failing to invalidate prior access tokens when a refresh token was used. Because refresh tokens normally last about a year, an attacker who obtains a refresh token could use it as an access token to continue interacting with the platform without any token rotation. At the same time, previous access tokens remain valid even after a refresh, allowing the attacker to use multiple valid tokens concurrently or beyond the intended session lifetime. This flaw enables prolonged unauthorized access if either token is disclosed.", "risk_and_exploitability": "The CVSS score is 6.2, indicating medium severity, while the EPSS score is below 1% and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the attack vector requires an authenticated client to have a refresh token that can be captured or exposed to an attacker. The flaw allows that attacker to bypass normal token rotation and maintain continuous access, presenting a moderate risk of sustained compromise. The low EPSS and lack of KEV listing suggest exploitation is not yet widespread, but the long lifetime of the tokens makes the potential impact significant if an attacker gains them."}}}}, "created": "2026-02-23T14:35:40.445103+00:00", "updated": "2026-04-17T17:30:23.860572+00:00", "vendors": ["softiron", "softiron$PRODUCT$hypercloud"]}