HPE Reports Flaw in AutoPass License Server Enabling Authentication Bypass
Take action: Treat your license servers as part of high-priority infrastructure because they often hold the keys to your entire software environment. Immediately update HPE APLS to version 9.19 and ensure these servers are never exposed to the public internet.
Learn More
Hewlett Packard Enterprise (HPE) issued an urgent warning regarding a critical security flaw in its AutoPass License Server (APLS) that llows remote attackers to bypass authentication protocols entirely.
The flaw is tracked as CVE-2026-23600 (CVSS score 7.3 per HP, NVD CNA scored it as 10.0) - a remote authentication bypass vulnerability that allows unauthenticated users to gain access to the management interface. The flaw is caused by a failure in the server's identity verification process, letting an attacker skip the login screen and interact with the system as an administrator. By sending specially crafted network requests to the APLS service, an attacker can gain full control over license management and potentially the underlying host system.
This security issue affects all versions of the HPE AutoPass License Server prior to version 9.19. Organizations using APLS to manage licenses for storage, networking, or server software are at risk until they apply the necessary updates to their environments.
HPE recommends that administrators immediately update to APLS version 9.19 or later to resolve the flaw. The update is available through the HPE support portal and should be prioritized for any internet-facing or broadly accessible internal instances. Until patching is complete, organizations should restrict network access to the license server to only trusted administrative IP addresses to minimize the attack surface.
