Description
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.
Published: 2026-04-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SAML session redirection to standard login on timeout, undermining SSO flow
Action: Apply Patch
AI Analysis

Impact

An improper session timeout in Fortra’s GoAnywhere MFT causes web users configured with SAML authentication to be redirected to the standard login page instead of the SAML login page when a session ends. This misdirects the expected single‑sign‑on flow and may allow a user or attacker to authenticate via the regular login interface. Based on the description, it is inferred that this could enable access to the application using a non‑SAML authentication path, but the vulnerability does not provide direct code execution or sensitive data exposure.

Affected Systems

All releases of Fortra:GoAnywhere MFT older than version 7.10.0 that are configured for SAML authentication.

Risk and Exploitability

The CVSS score of 4.3 indicates low‑to‑medium severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑application based, inferred from the session‑timeout behavior described. Exploitation would require an attacker to observe a user’s SAML session when it times out and then use the standard login page to attempt authentication.

Generated by OpenCVE AI on April 22, 2026 at 06:46 UTC.

Remediation

Vendor Solution

Update to version 7.10.0 or higher of GoAnywhere MFT

OpenCVE Recommended Actions

  • Upgrade GoAnywhere MFT to version 7.10.0 or later.
  • Verify that expired SAML sessions redirect to the SAML login page instead of the standard login page.
  • Perform functional tests to ensure that session timeouts no longer present the regular login interface.

Generated by OpenCVE AI on April 22, 2026 at 06:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortra goanywhere Managed File Transfer
CPEs cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
Vendors & Products Fortra goanywhere Managed File Transfer

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortra
Fortra goanywhere Mft
Vendors & Products Fortra
Fortra goanywhere Mft

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.
Title GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Fortra Goanywhere Managed File Transfer Goanywhere Mft
cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2026-04-21T19:26:58.470Z

Reserved: 2026-01-14T22:56:32.772Z

Link: CVE-2026-0971

cve-icon Vulnrichment

Updated: 2026-04-21T19:26:53.216Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T15:16:35.717

Modified: 2026-04-23T14:00:26.143

Link: CVE-2026-0971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:28Z

Weaknesses