HPE AutoPass License Server Authentication Bypass Vulnerability (CVE-2026-23600)
A critical authentication bypass vulnerability in Hewlett Packard Enterprise AutoPass License Server (CVE-2026-23600) allows remote attackers to gain unauthorized access without credentials.
Hewlett Packard Enterprise has disclosed a critical authentication bypass vulnerability in its AutoPass License Server, tracked as CVE-2026-23600. The flaw, reported through the Zero Day Initiative (ZDI-26-134), allows remote attackers to bypass authentication without requiring any credentials. The vulnerability resides in the web service component that listens on TCP port 5814 by default.
The issue stems from incorrect authentication checks prior to granting access to functionality. An attacker can exploit this flaw to gain unauthorized access to the system, potentially leading to data exposure, service disruption, or further compromise. The vulnerability carries a CVSS score of 7.3, indicating high severity with a network attack vector, low attack complexity, and no privileges required.
HPE has released a security update to address the vulnerability. The advisory, available at HPE's support site, provides details on the affected versions and the necessary patches. Organizations using HPE AutoPass License Server are urged to apply the update immediately to mitigate the risk.
The vulnerability was reported to HPE on September 2, 2025, and the coordinated public disclosure occurred on March 3, 2026. The researcher who discovered the flaw chose to remain anonymous. This disclosure follows HPE's standard responsible disclosure process.
AutoPass License Server is used by HPE customers to manage software licenses. A successful exploit could allow an attacker to bypass license validation or gain administrative access, potentially impacting enterprise environments. Given the critical nature of the flaw and the lack of required authentication, it is likely to be targeted by threat actors.
This vulnerability highlights the ongoing risks associated with authentication mechanisms in enterprise software. HPE's prompt response and patch availability are crucial steps in protecting customers. Administrators should prioritize patching and review their exposure to the affected service.