Skip to main content

Fortra GoAnywhere MFT CVE-2026-1089

| EUVDEUVD-2026-24130 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-04-21 Fortra GHSA-6x5f-r479-qh4p
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 13:45 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 16:32 vuln.today
Patch available
Apr 21, 2026 - 16:31 EUVD
EUVD ID Assigned
Apr 21, 2026 - 14:30 euvd
EUVD-2026-24130
Analysis Generated
Apr 21, 2026 - 14:30 vuln.today
CVE Published
Apr 21, 2026 - 14:14 nvd
MEDIUM 6.5

DescriptionCVE.org

User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.

AnalysisAI

User-controlled HTTP headers in Fortra GoAnywhere MFT prior to version 7.10.0 enable remote unauthenticated attackers to trigger arbitrary DNS lookups and execute DNS rebinding attacks, leading to information disclosure and potential service degradation. The vulnerability exploits improper handling of attacker-supplied header values in network requests, allowing reconnaissance of internal infrastructure and circumvention of network segmentation controls.

Technical ContextAI

GoAnywhere MFT, a managed file transfer solution, fails to properly validate or sanitize HTTP headers supplied by remote clients. The root cause (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the application passes unsanitized header data to backend DNS resolution functions or URL parsing libraries without filtering user-controlled input. This allows attackers to inject arbitrary hostnames into DNS queries, which the server then resolves using its own network stack. DNS rebinding exploits leverage this to bypass same-origin policy restrictions by resolving attacker-controlled domains to internal IP addresses (127.0.0.1, 10.0.0.0/8, etc.), enabling the attacker to perform server-side request forgery (SSRF) attacks against internal services. The vulnerability is automatable (per SSVC) because the attack requires only HTTP header manipulation, no authentication, and can be scripted easily.

RemediationAI

Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later immediately. This is the vendor-released patch that addresses the HTTP header validation flaw. For organizations unable to patch immediately, implement network-level controls: restrict HTTP/HTTPS access to GoAnywhere MFT to only trusted source IP ranges, disable or firewall any public Internet exposure of the MFT administration interface, and monitor DNS query logs for suspicious patterns (e.g., resolution of private IP ranges or repeated queries to attacker-controlled domains). If the MFT application supports custom HTTP header filtering or WAF integration, configure rules to validate HTTP headers against a whitelist of expected values and reject suspicious patterns. Note: network-level mitigations do not eliminate the vulnerability but reduce its surface - patching is the definitive fix. Consult Fortra's security advisory FI-2026-005 for version-specific upgrade procedures and any additional compensating controls documented by the vendor.

Share

CVE-2026-1089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy