CVE-2026-44873 - Vulnerability Details

- Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

Description

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Published: 2026-05-12

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A session management flaw in Hewlett Packard Enterprise Aruba Operating System (AOS) version 8 allows an authenticated user to retain network connectivity even after the user account has been administratively disabled. The existing session is not invalidated, so an attacker who has compromised credentials can continue to use the network until the session naturally expires. This vulnerability may enable the attacker to perform unauthorized actions, gain sensitive information, or maintain a foothold within the network after the account’s disabled status.

Affected Systems

Systems running the HPE Aruba Networking Wireless Operating System (AOS) version 8 are affected, as the vulnerability exists across all builds of that major release; specific version details are not provided by the vendor.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Because the issue stems from inadequate session invalidation, an attacker must already possess valid credentials before the account is disabled or must have obtained them by other means. Once the account is marked inactive, the session remains active until expiration, creating a window of unauthorized access that can be exploited by threat actors with minimal effort.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Hewlett Packard Enterprise (HPE)

HPE Aruba Networking Wireless Operating System (AOS)

affected

Version	Status	Constraints
`8.13.0.0`	affected	≤ 8.13.1.1
`8.12.0.0`	affected	≤ 8.12.0.6
`8.10.0.0`	affected	≤ 8.10.0.21

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the HPE Aruba support portal for a patch or firmware update that addresses session invalidation for disabled accounts and apply the latest version of AOS-8 immediately.
If an update is not available or cannot be applied, manually terminate all active sessions for accounts that have been disabled by forcing logout or restarting the authentication service.
Implement network access controls or captive portal policies that require re‑authentication for each session to limit the impact of this flaw.
Continuously monitor active session logs for users whose accounts are marked as disabled to detect potential abuse.
Consult HPE Aruba documentation for recommended configurations or workarounds to enforce session termination after account deactivation.

Generated by OpenCVE AI on May 12, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

History

Tue, 12 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-613

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.
Title		Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System
References		https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2026-05-12T19:19:59.595Z

Updated: 2026-05-12T19:47:34.867Z

Reserved: 2026-05-07T21:29:22.243Z

Link: CVE-2026-44873

Vulnrichment

Updated: 2026-05-12T19:47:19.249Z

NVD

Status : Received

Published: 2026-05-12T20:16:45.907

Modified: 2026-05-12T20:16:45.907

Link: CVE-2026-44873

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses

CWE-613

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object