← Back
2026-05-12 19:19CVE-2026-44873hpe
PUBLISHED5.2

Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Affected products

Hewlett Packard Enterprise (HPE)

HPE Aruba Networking Wireless Operating System (AOS)

<= 8.13.1.1 - AFFECTED

<= 8.12.0.6 - AFFECTED

<= 8.10.0.21 - AFFECTED

References

support.hpe.com

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

GitHub Security Advisories

GHSA-h57h-82mj-62h6

A session management vulnerability in AOS-8 allows previously authenticated users to retain...

https://github.com/advisories/GHSA-h57h-82mj-62h6

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-44873

support.hpe.com

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

github.com

https://github.com/advisories/GHSA-h57h-82mj-62h6

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-44873
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-44873",
    "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
    "assignerShortName": "hpe",
    "dateUpdated": "2026-05-12T19:47:34.867Z",
    "dateReserved": "2026-05-07T21:29:22.243Z",
    "datePublished": "2026-05-12T19:19:59.595Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
        "shortName": "hpe",
        "dateUpdated": "2026-05-12T19:19:59.595Z"
      },
      "title": "Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System",
      "descriptions": [
        {
          "lang": "en",
          "value": "A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Hewlett Packard Enterprise (HPE)",
          "product": "HPE Aruba Networking Wireless Operating System (AOS)",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "8.13.0.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "8.13.1.1"
            },
            {
              "version": "8.12.0.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "8.12.0.6"
            },
            {
              "version": "8.10.0.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "8.10.0.21"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US"
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "0x50d",
          "type": "reporter"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-05-12T19:47:34.867Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}