HPE AutoPass Vulnerability Allows Remote Attackers to Bypass Authentication

Hewlett Packard Enterprise (HPE) has disclosed a remote authentication-bypass vulnerability in HPE AutoPass License Server (APLS) that could let unauthenticated attackers bypass login controls over the network.

The issue is tracked as CVE-2026-23600 and is fixed in APLS 9.19 and later.

Item Details
Vendor bulletin HPESBGN05003 rev.1 (Security Bulletin), initial release 27 Feb 2026; last updated 28 Feb 2026. 
CVE CVE-2026-23600 (NVD entry available).
Impact Remote authentication bypass (unauthorized access without valid credentials). 
Affected / Fixed APLS versions prior to 9.19 are impacted; upgrade to APLS 9.19 or later to remediate. 

Technical details

HPE states the vulnerability exists in HPE AutoPass License Server (APLS) and “could be remotely exploited to allow authentication bypass,” meaning an attacker may be able to reach protected functionality without completing normal authentication.

HPE associates the issue with CVE-2026-23600 and scores it 7.3 (CVSS v3.1) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network reachability, low attack complexity, no privileges required, and no user interaction.​

Only impacted versions are listed in the bulletin, and HPE identifies “HPE AutoPass License Server – Prior to 9.19” as affected.

The bulletin credits an anonymous reporter working with the Trend Micro Zero Day Initiative (as described by HPE) for responsibly reporting the issue to HPE.

Third-party write-ups reiterate that the flaw enables authentication bypass and that upgrading to 9.19 or newer addresses the problem.

Mitigation guidance

HPE’s primary remediation is to update HPE AutoPass License Server (APLS) to version 9.19 or later.

For operational guidance, HPE also notes that any third-party security patches on systems running HPE software should be applied according to the customer’s patch management policy.​

Beyond upgrading, defenders should treat license servers as high-value infrastructure and reduce exposure; confirm whether APLS is reachable from untrusted networks; restrict access to admin/management ports at the firewall; and place the service behind VPN or dedicated management networks.

Monitor for unexpected access patterns to the APLS web/service endpoints (for example, requests that appear to reach privileged actions without a prior authenticated session) and review authentication and access logs for anomalies around the time of patching.

Related Articles

Back to top button