Skip to main content

Fortra GoAnywhere MFT CVE-2026-0971

| EUVDEUVD-2026-24128 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-21 Fortra GHSA-436j-4grc-7cjp
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 14:00 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 16:32 vuln.today
Patch available
Apr 21, 2026 - 16:31 EUVD
EUVD ID Assigned
Apr 21, 2026 - 14:30 euvd
EUVD-2026-24128
Analysis Generated
Apr 21, 2026 - 14:30 vuln.today
CVE Published
Apr 21, 2026 - 14:14 nvd
MEDIUM 4.3

DescriptionCVE.org

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.

AnalysisAI

Improper session timeout handling in Fortra GoAnywhere MFT prior to version 7.10.0 allows unauthenticated remote attackers to bypass SAML authentication and redirect users to the regular login page, potentially enabling credential harvesting or session hijacking attacks. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted URL) but affects all web users configured with SAML single sign-on, creating an information disclosure risk through unexpected authentication flow exposure.

Technical ContextAI

The vulnerability is rooted in CWE-613 (Insufficient Session Expiration), a class of flaws where session management mechanisms fail to properly invalidate or refresh security context after timeout events. In GoAnywhere MFT, SAML-configured web users should be transparently redirected to the SAML identity provider login flow; instead, the session timeout mechanism incorrectly routes them to the standard application login page. This breaks the intended SAML authentication chain and exposes the regular login interface to users who should only access SAML-protected resources. The affected product is Fortra's GoAnywhere MFT (CPE: cpe:2.3:a:fortra:goanywhere_mft), a managed file transfer solution commonly deployed in enterprise environments for secure data exchange.

RemediationAI

Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later immediately. This is the only vendor-released patch confirmed to address the session timeout handling defect. If immediate patching is not feasible, organizations should implement compensating controls: (1) enforce IP-based session restrictions to limit session reuse across geographic locations, (2) disable or strictly monitor the regular login page for SAML-configured users via access control lists, (3) enable detailed audit logging of authentication events to detect anomalous login patterns, and (4) provide security awareness training to users about the expected SAML login flow to reduce susceptibility to credential harvesting. Note that compensating controls do not eliminate the underlying vulnerability and should be temporary pending patching. See Fortra security advisory FI-2025-013 for additional details and deployment guidance.

Share

CVE-2026-0971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy