FKIE_CVE-2026-1842

Vulnerability from fkie_nvd - Published: 2026-02-20 17:25 - Updated: 2026-04-15 00:35
Severity ?
6.2 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Summary
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
References
0a72a055-908d-47f5-a16a-1f09049c16c6https://advisories.softiron.cloud/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed."
    },
    {
      "lang": "es",
      "value": "Las versiones 2.3.5 a 2.6.8 de HyperCloud permitieron indebidamente que los tokens de actualizaci\u00f3n se usaran directamente para el acceso a recursos y no invalidaron los tokens de acceso emitidos previamente cuando se usaba un token de actualizaci\u00f3n. Debido a que los tokens de actualizaci\u00f3n tienen una vida \u00fatil significativamente m\u00e1s larga (un a\u00f1o por defecto), un cliente autenticado podr\u00eda usar un token de actualizaci\u00f3n en lugar de un token de acceso para mantener un acceso a largo plazo sin rotaci\u00f3n de tokens. Adem\u00e1s, los tokens de acceso antiguos permanecieron v\u00e1lidos despu\u00e9s de la actualizaci\u00f3n, lo que permit\u00eda un uso concurrente o extendido m\u00e1s all\u00e1 de los l\u00edmites de sesi\u00f3n previstos. Esta vulnerabilidad podr\u00eda permitir un acceso no autorizado prolongado si un token es revelado."
    }
  ],
  "id": "CVE-2026-1842",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "0a72a055-908d-47f5-a16a-1f09049c16c6",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-20T17:25:50.780",
  "references": [
    {
      "source": "0a72a055-908d-47f5-a16a-1f09049c16c6",
      "url": "https://advisories.softiron.cloud/"
    }
  ],
  "sourceIdentifier": "0a72a055-908d-47f5-a16a-1f09049c16c6",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "0a72a055-908d-47f5-a16a-1f09049c16c6",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.