CVE-2026-23708
HIGH WAF: Low
CVSS 8.1
Published: 2026-04-14
CWE-287 CWE-862
A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| fortinet | fortisoar | 7.5.0 - 7.5.3 |
| fortinet | fortisoar | 7.6.0 - 7.6.4 |
References
- fortiguard.fortinet.com (Vendor Advisory)