CVE-2026-44873

MEDIUM

Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

Title source: cna

Description

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

References (1)

Core 1

Core References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (5)

arubanetworks/arubaos 6.5.4.0 - 8.10.0.22

arubanetworks/sd-wan 8.6.0.4-2.2.0.0 - 8.6.0.4-2.2.0.7

Hewlett Packard Enterprise (HPE)/HPE Aruba Networking Wireless Operating System (AOS) 8.10.0.0 - 8.10.0.21

Hewlett Packard Enterprise (HPE)/HPE Aruba Networking Wireless Operating System (AOS) 8.12.0.0 - 8.12.0.6

Hewlett Packard Enterprise (HPE)/HPE Aruba Networking Wireless Operating System (AOS) 8.13.0.0 - 8.13.1.1

Published May 12, 2026

Tracked Since May 13, 2026