CVE-2026-23822 MEDIUM

CVE-2026-23822: Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service

Vendor Hewlett Packard Enterprise (Hpe)
Product ArubaOS (AOS)
Published May 12, 2026
Last update May 12, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated