CVE-2026-23597 - Vulnerability Details

- Unauthenticated Information Disclosure in application API allows sensitive system information exposure

Description

Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities.

Published: 2026-02-17

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the error handling of an HPE Aruba Networking Private 5G Core server API permits an unauthenticated remote attacker to retrieve sensitive data. The vulnerability can expose user accounts, roles, system configuration, internal services, and workflow details, thereby compromising confidentiality and potentially enabling later privilege escalation when combined with other weaknesses.

Affected Systems

The affected product is HPE Aruba Networking Private 5G Core. No specific version information is provided in the advisory, so all current builds should be considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests that exploit attempts are unlikely but not impossible. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only unauthenticated API access, which could be achieved by sending crafted requests to the exposed API endpoints. The risk is primarily a confidentiality breach, but the exposed information could assist attackers in gaining higher privileges later.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Hewlett Packard Enterprise (HPE)

HPE Aruba Networking Private 5G Core

affected

Version	Status	Constraints
`1.24.3.0`	affected	≤ 1.24.3.4

Configuration 1 [-]

cpe:2.3:a:hpe:aruba_networking_private_5g_core:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hpe

Aruba Networking Private 5g Core

100%

Version	Status	Scheme	Platform
`[1.24.3.0,1.24.3.4]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest security patch for HPE Aruba Networking Private 5G Core released by HPE.
Restrict access to the API by enabling IP whitelisting or firewall rules that limit exposure to trusted networks and require proper authentication.
Audit API error responses to ensure that sensitive information is not included in returned messages and review logs for anomalous activity.

Generated by OpenCVE AI on April 17, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us&docLocale=en_US

History

Sat, 28 Feb 2026 01:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:hpe:aruba_networking_private_5g_core::::::::

Wed, 18 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hpe Hpe aruba Networking Private 5g Core
Vendors & Products		Hpe Hpe aruba Networking Private 5g Core

Tue, 17 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities.
Title		Unauthenticated Information Disclosure in application API allows sensitive system information exposure
References		https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us&docLocale=en_US
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Hpe Aruba Networking Private 5g Core

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2026-02-17T20:46:45.035Z

Updated: 2026-02-18T14:42:46.651Z

Reserved: 2026-01-14T15:40:17.991Z

Link: CVE-2026-23597

Vulnrichment

Updated: 2026-02-18T14:42:41.555Z

NVD

Status : Analyzed

Published: 2026-02-17T21:22:16.053

Modified: 2026-03-02T13:29:10.500

Link: CVE-2026-23597

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object