CVE-2026-1842

CVE-2026-1842 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-613.

Key facts

Description

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.

Frequently asked questions

What is CVE-2026-1842?
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
How severe is CVE-2026-1842?
CVE-2026-1842 has a CVSS 4.0 base score of 6.2, rated medium severity.
Is CVE-2026-1842 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-1842?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-1842 have an EU (EUVD) identifier?
Yes. CVE-2026-1842 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8367.
When was CVE-2026-1842 published?
CVE-2026-1842 was published on 2026-02-20 and last updated on 2026-06-17.

References

Other CWE-613 (Insufficient Session Expiration) vulnerabilities

Browse all CWE-613 (Insufficient Session Expiration) vulnerabilities →