cbcvebase.
CVE-2026-44873
published 2026-05-12

CVE-2026-44873: A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled…

PriorityP431medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.14%
3.8th percentile
A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Affected

8 ranges
VendorProductVersion rangeFixed in
arubanetworksarubaos>= 6.5.4.0 < 8.10.0.228.10.0.22
arubanetworksarubaos>= 8.11.0.0 < 8.12.0.78.12.0.7
arubanetworksarubaos>= 8.13.0.0 < 8.13.1.28.13.1.2
arubanetworkssd-wan8.6.0.4-2.2.0.0 – 8.6.0.4-2.2.0.7
arubanetworkssd-wan8.7.0.0-2.3.0.0 – 8.7.0.0-2.3.0.9
hewlett_packard_enterprisehpe_aruba_networking_wireless_operating_system8.10.0.0 – 8.10.0.21
hewlett_packard_enterprisehpe_aruba_networking_wireless_operating_system8.12.0.0 – 8.12.0.6
hewlett_packard_enterprisehpe_aruba_networking_wireless_operating_system8.13.0.0 – 8.13.1.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.