vulnerability

Aruba AOS-8: CVE-2026-44873: Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:S/C:P/I:P/A:N)	May 12, 2026	May 13, 2026	May 13, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

Published

May 12, 2026

Added

May 13, 2026

Modified

May 13, 2026

Description

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Solution

aruba-aos-8-cve-2026-44873

References

CVE-2026-44873
https://attackerkb.com/topics/CVE-2026-44873
https://csaf.arubanetworking.hpe.com/2026/hpe_aruba_networking_-_hpesbnw05048.json
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-29822
EUVD-EUVD-2026-29822

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report