{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23708", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2026-01-15T13:00:41.463Z", "datePublished": "2026-04-14T15:38:18.327Z", "dateUpdated": "2026-04-15T03:58:22.574Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSOAR PaaS", "cpes": ["cpe:2.3:a:fortinet:fortisoarpaas:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.5.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.6.0", "lessThanOrEqual": "7.6.3", "status": "affected"}, {"versionType": "semver", "version": "7.5.0", "lessThanOrEqual": "7.5.2", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiSOAR on-premise", "cpes": ["cpe:2.3:a:fortinet:fortisoaron-premise:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.5.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.6.0", "lessThanOrEqual": "7.6.3", "status": "affected"}, {"versionType": "semver", "version": "7.5.0", "lessThanOrEqual": "7.5.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:18.327Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "Escalation of privilege", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSOAR PaaS version 7.6.4 or above\nUpgrade to upcoming FortiSOAR PaaS version 7.5.3 or above\nUpgrade to FortiSOAR on-premise version 7.6.4 or above\nUpgrade to upcoming FortiSOAR on-premise version 7.5.3 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-101", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-101"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-23708"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T03:58:22.574Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T16:26:28.051062Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:37:16.911Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortisoarpaas:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoarpaas:7.5.0:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSOAR PaaS", "versions": [{"status": "affected", "version": "7.6.0", "versionType": "semver", "lessThanOrEqual": "7.6.3"}, {"status": "affected", "version": "7.5.0", "versionType": "semver", "lessThanOrEqual": "7.5.2"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:fortinet:fortisoaron-premise:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisoaron-premise:7.5.0:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSOAR on-premise", "versions": [{"status": "affected", "version": "7.6.0", "versionType": "semver", "lessThanOrEqual": "7.6.3"}, {"status": "affected", "version": "7.5.0", "versionType": "semver", "lessThanOrEqual": "7.5.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSOAR PaaS version 7.6.4 or above\nUpgrade to upcoming FortiSOAR PaaS version 7.5.3 or above\nUpgrade to FortiSOAR on-premise version 7.6.4 or above\nUpgrade to upcoming FortiSOAR on-premise version 7.5.3 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-101", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-101"}], "descriptions": [{"lang": "en", "value": "A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Escalation of privilege"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:18.327Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23708", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:46:15.754Z", "dateReserved": "2026-01-15T13:00:41.463Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2026-04-14T15:38:18.327Z", "assignerShortName": "fortinet"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity."}], "id": "CVE-2026-23708", "lastModified": "2026-04-14T16:16:37.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2026-04-14T16:16:37.277", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-101"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.6.0,7.6.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.5.0,7.5.2]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "FortiSOAR on-premise", "source": "cna", "vendor": "Fortinet"}, "product": "fortisoaron-premise", "vendor": "fortinet"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.6.0,7.6.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.5.0,7.5.2]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "FortiSOAR PaaS", "source": "cna", "vendor": "Fortinet"}, "product": "fortisoarpaas", "vendor": "fortinet"}], "analysis": {"en": {"generated_at": "2026-04-14T18:12:34.580600+00:00", "value": {"mitigation_remediation": ["Upgrade FortiSOAR PaaS to version 7.6.4 or newer", "Upgrade to upcoming FortiSOAR PaaS version 7.5.3 or newer", "Upgrade FortiSOAR on\u2011premise to version 7.6.4 or newer", "Upgrade to upcoming FortiSOAR on\u2011premise version 7.5.3 or newer"], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass via 2FA Replay"}, "threat_synthesis": {"affected_systems": "Fortinet FortiSOAR PaaS versions 7.5.0 through 7.5.2 and 7.6.0 through 7.6.3, as well as FortiSOAR on\u2011premise versions 7.5.0 through 7.5.2 and 7.6.0 through 7.6.3 are affected. Users running any of these versions are at risk if no updates have been applied.", "description_and_impact": "An improper authentication flaw allows an attacker who has captured a two\u2011factor authentication request to replay it and bypass authentication. This flaw enables unauthenticated access to FortiSOAR services, potentially granting full control without the need to guess credentials or exploit other vulnerabilities. The weakness is categorized as CWE\u2011287, indicating an authentication bypass issue.", "risk_and_exploitability": "The CVSS base score of 6.7 reflects moderate severity. The attack requires the adversary to intercept, decrypt, and precisely time the replay of authentication traffic before the two\u2011factor token expires, raising attack complexity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, so the overall risk is moderate pending remediation."}}}}, "created": "2026-04-15T14:41:09.659574+00:00", "title": "Replay of 2FA Request Enables Authentication Bypass in FortiSOAR", "updated": "2026-04-15T15:30:06.820211+00:00", "vendors": ["fortinet", "fortinet$PRODUCT$fortisoaron-premise", "fortinet$PRODUCT$fortisoarpaas"]}