Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via <insert attack vector here>
AnalysisAI
Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.
Technical ContextAI
The vulnerability resides in the Android application framework layer where FortiToken Android improperly exports application components (likely Activities, Services, Broadcast Receivers, or Content Providers) without enforcing proper access control restrictions. CWE-926 (Improper Export of Android Application Components) describes the root cause: when Android components are not properly protected via android:exported attribute or permission restrictions in the AndroidManifest.xml, other applications on the same device can invoke or interact with these components, leading to unauthorized data access. The affected versions span 5.2 through 6.2, suggesting a systemic design issue rather than an isolated regression. An attacker with local access and low-privilege authentication context can exploit the exposed components to retrieve sensitive authentication or token data stored within the application's protected memory space or shared storage.
RemediationAI
Users should upgrade Fortinet FortiToken Android to the latest available version beyond 6.2 once released by Fortinet. Consult the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-130 for specific patched version availability and timelines. Until a patched version is available, organizations should implement compensating controls: restrict installation of FortiToken Android on shared or multi-user devices where low-privilege accounts may be present, enforce device-level application permission restrictions (disable or limit component export where possible through device management tools), and monitor application-level access logs within FortiToken if available. Users should avoid granting FortiToken Android unnecessary permissions and should not install other untrusted applications on devices running FortiToken to reduce the attack surface for inter-app exploitation. Note that these mitigations reduce risk but do not eliminate the underlying vulnerability.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29731
GHSA-6xw2-cp28-pgvr