Critical9.1Fortinet Updated
Improper access control on API endpoints
FG-IR-26-128 Published May 12, 2026Updated by vendor May 12, 2026
CVE-2026-44277
Affected products & platforms
FortinetUnclassified
Summary
CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Revised on 2026-05-12 00:00:00
Affected versions
- FortiAuthenticator 8.0: 8.0.2
- FortiAuthenticator 8.0: 8.0.0
- FortiAuthenticator 6.6: 6.6.0 through 6.6.8
- FortiAuthenticator 6.5: 6.5.0 through 6.5.6
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Fixed versions
- FortiAuthenticator 8.0: 8.0.3
- FortiAuthenticator 6.6: 6.6.9
- FortiAuthenticator 6.5: 6.5.7
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade per the Affected/Solution table: FortiAuthenticator 8.0: 8.0.3; FortiAuthenticator 6.6: 6.6.9; FortiAuthenticator 6.5: 6.5.7.
Temporary workarounds
- Disable API access for exposed interfaces via Network -> Interfaces -> Access Rights.
- Acknowledgement Internally discovered as part of a Fortinet audit.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.