Skip to main content

Fortinet FortiToken Android CVE-2026-44279

| EUVDEUVD-2026-29731 MEDIUM
Improper Export of Android Application Components (CWE-926)
2026-05-12 fortinet GHSA-6xw2-cp28-pgvr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 18:22 NVD
5.0 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
May 12, 2026 - 18:01 vuln.today
CVE Published
May 12, 2026 - 16:54 nvd
MEDIUM 5.0

DescriptionNVD

A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via <insert attack vector here>

AnalysisAI

Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.

Technical ContextAI

The vulnerability resides in the Android application framework layer where FortiToken Android improperly exports application components (likely Activities, Services, Broadcast Receivers, or Content Providers) without enforcing proper access control restrictions. CWE-926 (Improper Export of Android Application Components) describes the root cause: when Android components are not properly protected via android:exported attribute or permission restrictions in the AndroidManifest.xml, other applications on the same device can invoke or interact with these components, leading to unauthorized data access. The affected versions span 5.2 through 6.2, suggesting a systemic design issue rather than an isolated regression. An attacker with local access and low-privilege authentication context can exploit the exposed components to retrieve sensitive authentication or token data stored within the application's protected memory space or shared storage.

RemediationAI

Users should upgrade Fortinet FortiToken Android to the latest available version beyond 6.2 once released by Fortinet. Consult the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-130 for specific patched version availability and timelines. Until a patched version is available, organizations should implement compensating controls: restrict installation of FortiToken Android on shared or multi-user devices where low-privilege accounts may be present, enforce device-level application permission restrictions (disable or limit component export where possible through device management tools), and monitor application-level access logs within FortiToken if available. Users should avoid granting FortiToken Android unnecessary permissions and should not install other untrusted applications on devices running FortiToken to reduce the attack surface for inter-app exploitation. Note that these mitigations reduce risk but do not eliminate the underlying vulnerability.

Share

CVE-2026-44279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy