CVE-2026-23808 MEDIUM

CVE-2026-23808: Client Isolation Bypass via GTK Manipulation

Vendor Hewlett Packard Enterprise (Hpe)
Product HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)
Published March 4, 2026
Last update April 1, 2026

CVSS base score

5.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
April 1, 2026 Record updated