CVE-2026-44873

Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

CVSS 5.4 MEDIUMEPSS 0.1%CWE-613

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.4EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products

Hewlett Packard Enterprise (HPE) · HPE Aruba Networking Wireless Operating System (AOS)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US