An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through…
fortinet·CWE-288·Published 2026-01-27
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Una vulnerabilidad de omisión de autenticación usando una ruta o canal alternativo [CWE-288] en Fortinet FortiAnalyzer 7.6.0 hasta 7.6.5, FortiAnalyzer 7.4.0 hasta 7.4.9, FortiAnalyzer 7.2.0 hasta 7.2.11, FortiAnalyzer 7.0.0 hasta 7.0.15, FortiManager 7.6.0 hasta 7.6.5, FortiManager 7.4.0 hasta 7.4.9, FortiManager 7.2.0 hasta 7.2.11, FortiManager 7.0.0 hasta 7.0.15, FortiOS 7.6.0 hasta 7.6.5, FortiOS 7.4.0 hasta 7.4.10, FortiOS 7.2.0 hasta 7.2.12, FortiOS 7.0.0 hasta 7.0.18, FortiProxy 7.6.0 hasta 7.6.4, FortiProxy 7.4.0 hasta 7.4.12, FortiProxy 7.2.0 hasta 7.2.15, FortiProxy 7.0.0 hasta 7.0.22, FortiWeb 8.0.0 hasta 8.0.3, FortiWeb 7.6.0 hasta 7.6.6, FortiWeb 7.4.0 hasta 7.4.11 puede permitir a un atacante con una cuenta de FortiCloud y un dispositivo registrado iniciar sesión en otros dispositivos registrados en otras cuentas, si la autenticación SSO de FortiCloud está habilitada en esos dispositivos.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 9.4 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
| 3.1 | Primary | cve.org | 9.4 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C |
| 3.1 | Secondary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |