A critical improper access control vulnerability (CVE-2026-44277, CVSSv3 9.1) in FortiAuthenticator allows unauthenticated attackers to execute unauthorized code or commands via crafted API requests. Affected versions include FortiAuthenticator 8.0.0 through 8.0.2, 6.6.0 through 6.6.8, and 6.5.0 through 6.5.6. The vendor has released patches in versions 8.0.3, 6.6.9, and 6.5.7, respectively.
PSIRT Improper access control on API endpoints Summary An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Version Affected Solution FortiAuthenticator 8.0 8.0.2 Upgrade to 8.0.3 or above FortiAuthenticator 8.0 8.0.0 Upgrade to 8.0.3 or above FortiAuthenticator 6.6 6.6.0 through 6.6.8 Upgrade to 6.6.9 or above FortiAuthenticator 6.5 6.5.0 through 6.5.6 Upgrade to 6.5.7 or above FortiAuthenticator Cloud is not impacted by the issue and hence customers do not need to perform any action. Acknowledgement Internally discovered as part of a Fortinet audit. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-128 Published Date May 12, 2026 Component API Severity Critical Discovered Internal Attack Type Unauthenticated Known Exploited No CVSSv3 Score 9.1 Impact Execute unauthorized code or commands CVE ID CVE-2026-44277 Download CVRF CSAF