CVE-2026-44874 PUBLISHED

Authenticated Arbitrary File Download via AOS-10 Web-Based Management Interface

Assigner: hpe
Reserved: 07.05.2026 Published: 12.05.2026 Updated: 12.05.2026

A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Successful exploitation of this vulnerability could result in the disclosure of confidential system information, potentially enabling further attacks against the affected device.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Hewlett Packard Enterprise (HPE)
Product	HPE Aruba Networking Wireless Operating System (AOS)
Versions	Default: affected affected from 10.7.0.0 to 10.7.2.2 (incl.) Version 10.8.0.0 is affected affected from 10.4.0.0 to 10.4.1.10 (incl.)

Credits

zzcentury reporter

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US