A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Fortinet FortiSOAR PaaS unaffected
Version Status Constraints
7.6.0 affected ≤ 7.6.3
7.5.0 affected ≤ 7.5.2
Fortinet FortiSOAR on-premise unaffected
Version Status Constraints
7.6.0 affected ≤ 7.6.3
7.5.0 affected ≤ 7.5.2

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Fortinet Subscribe
Fortisoaron-premise Subscribe
Fortisoarpaas Subscribe
Advisories

No advisories yet.

Fixes

Solution

Upgrade to FortiSOAR PaaS version 7.6.4 or above Upgrade to upcoming FortiSOAR PaaS version 7.5.3 or above Upgrade to FortiSOAR on-premise version 7.6.4 or above Upgrade to upcoming FortiSOAR on-premise version 7.5.3 or above

Workaround

No workaround given by the vendor.

References
Link Providers
https://fortiguard.fortinet.com/psirt/FG-IR-26-101 cve-icon cve-icon
History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.
First Time appeared Fortinet
Fortinet fortisoaron-premise
Fortinet fortisoarpaas
Weaknesses CWE-287
CPEs cpe:2.3:a:fortinet:fortisoaron-premise:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoaron-premise:7.5.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoaron-premise:7.5.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoaron-premise:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoaron-premise:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoaron-premise:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoaron-premise:7.6.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.5.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.5.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.5.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisoarpaas:7.6.3:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortisoaron-premise
Fortinet fortisoarpaas
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-14T16:46:15.754Z

Reserved: 2026-01-15T13:00:41.463Z

Link: CVE-2026-23708

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:16.911Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:37.277

Modified: 2026-04-14T16:16:37.277

Link: CVE-2026-23708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses