CVE-2026-44873 MEDIUM

CVE-2026-44873: Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

Vendor Hewlett Packard Enterprise (Hpe)
Product HPE Aruba Networking Wireless Operating System (AOS)
Published May 12, 2026
Last update May 15, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 15, 2026 Record updated