## https://sploitus.com/exploit?id=5138E609-7524-5859-A85E-CCDAA5FA5027
# CVE-2026-23813 โ AOS-CX Pre-Auth Authentication Bypass
> Unauthenticated remote attackers can reach the AOS-CX management REST API
> by smuggling a `login` token through nginx's over-permissive version regex,
> exposing the OVSDB-backed configuration surface (including the hashed
> admin credential).
- **CVE:** [CVE-2026-23813](https://nvd.nist.gov/vuln/detail/CVE-2026-23813)
- **CWE-287** ยท **CVSS 9.8 (Critical)**
- **Vendor:** HPE Aruba Networking ยท **Product:** AOS-CX
- **Write-up:** [offseckit.com/blog/cve-2026-23813](https://offseckit.com/blog/cve-2026-23813)
## Affected versions
| Branch | Vulnerable | Fixed |
|---------|---------------|-------------|
| 10.17.x | โค 10.17.0001 | 10.17.1001 |
| 10.16.x | โค 10.16.1020 | 10.16.1030 |
| 10.13.x | โค 10.13.1160 | 10.13.1161 |
| 10.10.x | โค 10.10.1170 | 10.10.1180 |
## Quick start
### Check if a device is patched (defenders)
```bash
python3 detect.py
```
Sends one read-only GET. Prints `PATCHED`, `VULNERABLE`, or `UNKNOWN`.
Makes no changes. Suitable for inventory sweeps.
### Understand the bypass (researchers)
```bash
python3 bypass_demo.py
```
Sends the same endpoint twice โ once normally, once with the smuggle โ
and prints the response codes side-by-side. No state change. See
[`docs/root-cause.md`](docs/root-cause.md) for the *why*.
### Demonstrate impact (authorized testing only)
```bash
python3 exploit.py
```
Creates a checkpoint via the unauthenticated path, reads the full
running config, prints the admin hash. The checkpoint persists on the
device โ the REST endpoints reachable via the bypass do not accept
`DELETE`; remove the checkpoint via console / authorized session if
needed.
## Files
| File | Purpose |
|-----------------------------------|--------------------------------------------------|
| `detect.py` | Non-destructive patch-status check |
| `bypass_demo.py` | Educational side-by-side of the bypass mechanic |
| `exploit.py` | Config-disclosure PoC (creates a checkpoint) |
| `detection/nginx-access.md` | Log signatures for nginx access logs |
| `detection/suricata.rules` | Suricata rule for the smuggle URI shape |
| `docs/root-cause.md` | Short root-cause explainer |
| `docs/patch-diff.md` | The fix, in one diff |
## Requirements
Python 3.8+ and `requests`:
```bash
pip install requests
```
## Authorized use only
This is security research. Only use against systems you own or have
explicit written permission to test. Unauthorized access to networking
equipment is illegal in most jurisdictions.
## Credits
Independent post-patch analysis and PoC by **4252nez** โ write-up on
[OffSecKit](https://offseckit.com/blog/cve-2026-23813).
Original vulnerability reported by moonv via the HPE Bugcrowd program;
this repository has no affiliation with that report.
## License
MIT โ see [LICENSE](LICENSE).