Medium5.0Fortinet Updated
OTP Disclosure via Exported TokenContentProvider
FG-IR-26-130 Published May 12, 2026Updated by vendor May 12, 2026
CVE-2026-44279
Affected products & platforms
FortinetUnclassified
Summary
CVSSv3 Score: 5.0 An improper export of Android application components [CWE-926] in FortiTokenAndroid may allow other applications on the device to read the OTP code via an exported Content Provider URI. Revised on 2026-05-12 00:00:00
Affected versions
- FortiTokenAndroid 6.2: 6.2 all versions
- FortiTokenAndroid 6.1: 6.1 all versions
- FortiTokenAndroid 5.2: 5.2 all versions
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Fixed versions
- FortiTokenAndroid 6.2: migrate to a fixed release
- FortiTokenAndroid 6.1: migrate to a fixed release
- FortiTokenAndroid 5.2: migrate to a fixed release
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade per the Affected/Solution table: FortiTokenAndroid 6.2: migrate to a fixed release; FortiTokenAndroid 6.1: migrate to a fixed release; FortiTokenAndroid 5.2: migrate to a fixed release.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.