CVE-2026-23595

High

Published: 17 February 2026

Published

17 February 2026

Modified

28 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 26.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23595 is a high-severity Improper Access Control (CWE-284) vulnerability in Hpe Aruba Networking Private 5G Core. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Create Account (T1136) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly preventing authentication bypass that allows unauthorized API access to create administrative accounts.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires unique identification and authentication of organizational users before access, mitigating the authentication bypass vulnerability in the application API.

AC-2 Account Management good match

prevent

Manages system accounts including creation, approval, and monitoring to prevent unauthorized privileged account establishment via the exploited API.

MITRE ATT&CK Enterprise TechniquesAI

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Auth bypass in API directly enables unauthorized admin account creation (T1136) via exploitation of remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system configurations,…

and access or manipulate sensitive data.

Deeper analysisAI

CVE-2026-23595, published on 2026-02-17, is an authentication bypass vulnerability (CWE-284: Improper Access Control) in the application API. It has a CVSS 3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw affects an HPE product, as detailed in the vendor's security bulletin.

A remote attacker with adjacent network access can exploit this vulnerability without privileges or user interaction. Exploitation allows creation of unauthorized administrative accounts, leading to full administrative access. This enables modification of system configurations and access or manipulation of sensitive data.

The HPE security advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05002en_us&docLocale=en_US provides details on mitigation and patching.