CVE-2026-23708HIGH 8.1EPSS p19.8%

CVE-2026-23708CVE-2026-23708

Description

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.28% probability of exploitation · percentile 19.8% · 2026-06-19T12:03:05Z
Published2026-04-14
Last modified2026-05-06

Underlying weaknesses· 2

CWE-287CWE-862

References

  1. https://fortiguard.fortinet.com/psirt/FG-IR-26-101

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE
CVE-2026-44277
CVE
CVE-2025-53847
CVE
CVE-2022-40684
CVE
CVE-2026-49938
CVE
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.