CVE-2026-23822 PUBLISHED

Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service

Assigner: hpe
Reserved: 16.01.2026 Published: 12.05.2026 Updated: 12.05.2026

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.

NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Hewlett Packard Enterprise (HPE)
Product	ArubaOS (AOS)
Versions	Default: affected affected from 8.13.0.0 to 8.13.1.1 (incl.) affected from 8.12.0.0 to 8.12.0.6 (incl.) affected from 8.10.0.0 to 8.10.0.21 (incl.)

Credits

Nicholas Starke reporter

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US