Skip to main content

Fortinet FortiPortal CVE-2026-49938

| EUVDEUVD-2026-35442 MEDIUM
Improper Access Control (CWE-284)
2026-06-09 fortinet GHSA-ccch-q89j-28hm
6.5
CVSS 3.1 · Vendor: fortinet
Share

Severity by source

Vendor (fortinet) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (fortinet) · only source for this CVE.

CVSS VectorVendor: fortinet

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 09, 2026 - 16:22 NVD
6.2 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 15:48 vuln.today
CVE Published
Jun 09, 2026 - 14:27 nvd
MEDIUM 6.2

DescriptionCVE.org

A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here>

AnalysisAI

Improper access control in Fortinet FortiPortal versions 7.0.x (all), 7.2.0-7.2.8, and 7.4.0-7.4.7 enables an authenticated low-privilege attacker to bypass authorization controls and gain unauthorized read access to sensitive data. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates low-complexity network exploitation by any authenticated user, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis based on CISA KEV, though publicly available exploit code exists per the CVSS temporal E:P metric, and Fortinet has issued an official fix.

Technical ContextAI

FortiPortal is Fortinet's multi-tenant management portal, primarily used by MSSPs and enterprise customers to manage FortiGate security policies, firewall configurations, and network telemetry across customer tenants. CWE-284 (Improper Access Control) identifies the root cause as a failure to enforce authorization boundaries - the system permits authenticated low-privilege users to access resources, API endpoints, or data structures that should require elevated privileges. The 'Authentication Bypass' tag in conjunction with CWE-284 and the PR:L CVSS parameter suggests vertical or horizontal privilege escalation within FortiPortal's role-based access model, potentially exposing cross-tenant data or administrative functions. The affected CPE (cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:*) encompasses the full FortiPortal application across the named version ranges. The CVE description contains a placeholder ('<insert attack vector here>'), indicating the precise exploitation mechanism within the portal has not been fully disclosed in the available data.

RemediationAI

Fortinet has released an official fix per the CVSS temporal RL:O metric and the PSIRT advisory FG-IR-26-140 at https://fortiguard.fortinet.com/psirt/FG-IR-26-140; however, the exact patched version numbers are not specified in the available data and must be confirmed directly from the Fortinet advisory before upgrading. Administrators should prioritize reviewing the advisory for the target upgrade version and apply the patch immediately, particularly given publicly available proof-of-concept code. As interim compensating controls prior to patching: restrict network access to FortiPortal's management interface to trusted IP ranges via upstream firewall ACLs (trade-off: operational impact for remote administrators); audit and minimize low-privilege accounts with portal access, removing any unnecessary accounts that could be leveraged; and enable enhanced logging on FortiPortal access events to detect anomalous cross-role data access attempts. Network-level restrictions reduce attack surface but do not remediate the underlying access control flaw.

CVE-2025-64446 CRITICAL POC
9.8 Nov 14

Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-58034 HIGH POC
7.2 Nov 18

Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c

CVE-2016-1909 CRITICAL POC
9.8 Jan 15

Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0

CVE-2016-6909 CRITICAL POC
9.8 Aug 24

Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9

CVE-2026-21643 CRITICAL POC
9.8 Feb 06

A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized

CVE-2026-35616 CRITICAL POC
9.8 Apr 04

Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut

CVE-2025-25256 CRITICAL POC
9.8 Aug 12

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in

CVE-2026-24858 CRITICAL
9.8 Jan 27

Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2012-1461 MEDIUM
4.3 Mar 21

The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5

CVE-2012-1459 MEDIUM
4.3 Mar 21

The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,

Share

CVE-2026-49938 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy