Description
An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file.
Published: 2026-04-14
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Redirection to Untrusted Site (Open Redirect)
Action: Patch
AI Analysis

Impact

An Open Redirect flaw allows a remote attacker with system administrator privileges to trick authenticated users into visiting a malicious website by uploading a specially crafted CSV file. This vulnerability is classified as CWE‑601 and can be leveraged to facilitate phishing, credential theft, or further compromise when users interact with the redirected site.

Affected Systems

Fortinet FortiNAC‑F software is affected. Versions 7.6.0 through 7.6.5, all 7.4 releases, and all 7.2 releases are vulnerable if the system administrator role is present and a CSV file can be processed by the appliance.

Risk and Exploitability

The CVSS base score of 2.2 indicates low severity, and no EPSS data is available, suggesting limited exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Exploitation requires administrative privileges and the user’s interaction with the crafted CSV file, so the attack vector is primarily administrative and user‑based rather than remote unauthenticated.

Generated by OpenCVE AI on April 14, 2026 at 17:37 UTC.

Remediation

Vendor Solution

Upgrade to upcoming FortiNAC-F version 7.6.6 or above

OpenCVE Recommended Actions

  • Upgrade FortiNAC‑F to version 7.6.6 or later

Generated by OpenCVE AI on April 14, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Open Redirect via Crafted CSV in Fortinet FortiNAC‑F

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet
Fortinet fortinac-f
Vendors & Products Fortinet
Fortinet fortinac-f

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file.
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

Subscriptions

Fortinet Fortinac-f
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-14T16:15:52.069Z

Reserved: 2026-01-05T14:17:53.224Z

Link: CVE-2026-21741

cve-icon Vulnrichment

Updated: 2026-04-14T16:15:49.239Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:35.777

Modified: 2026-04-14T16:16:35.777

Link: CVE-2026-21741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses