Description
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
Published: 2026-02-20
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Long‑term unauthorized access via reused refresh tokens
Action: Patch promptly
AI Analysis

Impact

HyperCloud versions 2.3.5 through 2.6.8 allowed refresh tokens to be used directly for resource access while failing to invalidate prior access tokens when a refresh token was used. Because refresh tokens normally last about a year, an attacker who obtains a refresh token could use it as an access token to continue interacting with the platform without any token rotation. At the same time, previous access tokens remain valid even after a refresh, allowing the attacker to use multiple valid tokens concurrently or beyond the intended session lifetime. This flaw enables prolonged unauthorized access if either token is disclosed.

Affected Systems

The vulnerability affects SoftIron’s HyperCloud platform, specifically versions 2.3.5 through 2.6.8.

Risk and Exploitability

The CVSS score is 6.2, indicating medium severity, while the EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector requires an authenticated client to have a refresh token that can be captured or exposed to an attacker. The flaw allows that attacker to bypass normal token rotation and maintain continuous access, presenting a moderate risk of sustained compromise. The low EPSS and lack of KEV listing suggest exploitation is not yet widespread, but the long lifetime of the tokens makes the potential impact significant if an attacker gains them.

Generated by OpenCVE AI on April 17, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HyperCloud to a version newer than 2.6.8 that corrects token validation and access‑token invalidation
  • Force revocation of all current access and refresh tokens and require users to re‑authenticate with fresh tokens
  • Implement stricter token handling rules so that refresh tokens can only be exchanged for access tokens and are not treated as direct resource credentials

Generated by OpenCVE AI on April 17, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://advisories.softiron.cloud/ cve-icon cve-icon
History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Softiron
Softiron hypercloud
Vendors & Products Softiron
Softiron hypercloud

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
Title HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Softiron Hypercloud
cve-icon MITRE

Status: PUBLISHED

Assigner: SoftIron

Published:

Updated: 2026-02-20T18:54:48.311Z

Reserved: 2026-02-03T17:15:55.203Z

Link: CVE-2026-1842

cve-icon Vulnrichment

Updated: 2026-02-20T18:54:37.181Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T17:25:50.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses