Description
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities.
Published: 2026-02-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

An exposed error‑handling path in the HPE Aruba Networking 5G Core API permits an unauthenticated remote attacker to retrieve sensitive system data. The flaw can reveal user accounts, roles, system configuration, and internal service details, potentially assisting attackers in planning privilege escalation or further exploitation. The vulnerability is a classic information disclosure weakness, classified as CWE‑209.

Affected Systems

Hewlett Packard Enterprise’s Aruba Networking Private 5G Core platform is affected. The specific API endpoints and versions are not enumerated in the advisory, but any instance of the 5G Core server REST API that lacks proper authentication controls for error responses is susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation as of the latest measurement. The vulnerability remains outside the CISA KEV catalog. The likely attack vector is remote over the network: an unauthenticated attacker can send crafted API requests to trigger error responses that leak data. No additional prerequisites such as privileged access or exploitation of other vulnerabilities are required to extract the disclosed information, though it could be combined with other weaknesses for a more damaging attack.

Generated by OpenCVE AI on April 17, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the HPE support portal for a security patch or update that addresses the API error‑handling flaw and deploy it immediately.
  • If a patch is not yet available, restrict external access to the 5G Core API by implementing firewall rules or VPNs that allow only trusted IP ranges.
  • Reconfigure the API to return generic error messages without sensitive details, ensuring that no user or system information is disclosed even when errors occur.

Generated by OpenCVE AI on April 17, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hpe:aruba_networking_private_5g_core:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-209

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe aruba Networking Private 5g Core
Vendors & Products Hpe
Hpe aruba Networking Private 5g Core

Tue, 17 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well as to gain insight into internal services and workflows, increasing the risk of unauthorized access and elevated privileges when combined with other vulnerabilities.
Title Unauthenticated Information Disclosure in application API allows sensitive system information exposure
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Hpe Aruba Networking Private 5g Core
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-02-27T14:19:25.480Z

Reserved: 2026-01-14T15:40:17.991Z

Link: CVE-2026-23598

cve-icon Vulnrichment

Updated: 2026-02-17T21:26:55.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-17T21:22:16.193

Modified: 2026-02-28T01:30:07.653

Link: CVE-2026-23598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses