CVE-2026-23595 - Vulnerability Details

- Unauthenticated Authentication Bypass in application API allows unauthorized administrative account creation

Description

An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system configurations, and access or manipulate sensitive data.

Published: 2026-02-17

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated authentication bypass in the HPE Aruba Networking Private 5G Core application API permits creation of privileged administrative accounts. The flaw is a classic authorization violation (CWE‑284), allowing a remote attacker to gain full administrative control, modify system configurations, and access or alter sensitive data. The resulting impact includes significant confidentiality and integrity compromise and potential availability disruptions if configurations are maliciously altered.

Affected Systems

The vulnerability affects Hewlett Packard Enterprise’s Aruba Networking Private 5G Core platform. No specific version information is provided, implying that all released releases of the affected product are potentially susceptible until a vendor fix is issued.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests exploitation probability is currently low but non-zero. The flaw is not yet listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote API access; an attacker only needs to reach the application API, for which no authentication is required, to create an administrative user and subsequently control the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Hewlett Packard Enterprise (HPE)

HPE Aruba Networking Private 5G Core

affected

Version	Status	Constraints
`1.24.3.0`	affected	≤ 1.24.3.4

Configuration 1 [-]

cpe:2.3:a:hpe:aruba_networking_private_5g_core:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hpe

Aruba Networking Private 5g Core

100%

Version	Status	Scheme	Platform
`[1.24.3.0,1.24.3.4]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Acquire and install the vendor‑issued patch or upgrade to a version where the authentication bypass is fixed.
Restrict exposure of the application API by configuring firewall rules or network segmentation so that only trusted hosts or VPN users can reach the API endpoint.
Ensure that API access is authenticated and that unauthenticated accounts cannot invoke privileged operations. If possible, disable or limit API exposure on publicly reachable servers.

Generated by OpenCVE AI on April 17, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00071.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us&docLocale=en_US

History

Sat, 28 Feb 2026 01:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:hpe:aruba_networking_private_5g_core::::::::

Wed, 18 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-288

Wed, 18 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Wed, 18 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-288
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hpe Hpe aruba Networking Private 5g Core
Vendors & Products		Hpe Hpe aruba Networking Private 5g Core

Tue, 17 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system configurations, and access or manipulate sensitive data.
Title		Unauthenticated Authentication Bypass in application API allows unauthorized administrative account creation
References		https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us&docLocale=en_US
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Hpe Aruba Networking Private 5g Core

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2026-02-17T20:45:43.833Z

Updated: 2026-02-18T15:18:41.436Z

Reserved: 2026-01-14T15:40:17.990Z

Link: CVE-2026-23595

Vulnrichment

Updated: 2026-02-18T14:38:56.019Z

NVD

Status : Analyzed

Published: 2026-02-17T21:22:15.757

Modified: 2026-02-28T01:31:52.473

Link: CVE-2026-23595

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object