CVE-2026-22572 - Vulnerability Details

- Authentication Bypass via Crafted Requests on FortiAnalyzer and FortiManager

Description

An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.

Published: 2026-03-10

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authentication bypass flaw allows an attacker who knows an administrator's password to circumvent multifactor authentication by sending multiple crafted requests. The flaw is an example of a privilege escalation vulnerability where valid credentials can be abused to bypass security checks. The resulting loss of authentication integrity can lead to unauthorized system access and potential data compromise.

Affected Systems

Fortinet FortiAnalyzer versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, and 7.2.2 through 7.2.11, as well as FortiManager versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, and 7.2.2 through 7.2.11 are affected. The vulnerability is tied to the firmware and system software in these product lines.

Risk and Exploitability

The CVSS score of 6.8 places this as a medium severity issue, but the low EPSS score (< 1%) indicates a small chance of current exploitation. It is not listed in CISA’s KEV catalog. The attack vector requires knowledge of an admin password and the ability to send crafted HTTP requests to the management interface. The threat grows if the system is exposed to untrusted or semi‑trusted traffic, as the bypass can be enacted without additional authentication. Until patched, exposed devices should be isolated or access restricted until the vulnerability is mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortinet

FortiManager

unaffected

Version	Status	Constraints
`7.6.0`	affected	≤ 7.6.3
`7.4.0`	affected	≤ 7.4.7
`7.2.2`	affected	≤ 7.2.12

Fortinet

FortiAnalyzer

unaffected

Version	Status	Constraints
`7.6.0`	affected	≤ 7.6.3
`7.4.0`	affected	≤ 7.4.7
`7.2.2`	affected	≤ 7.2.12

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortianalyzer::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager::::::::
	cpe:2.3:a:fortinet:fortimanager_cloud::::::::
	cpe:2.3:a:fortinet:fortimanager_cloud::::::::

No data.

Vendor Product Confidence Versions

Fortinet

Fortianalyzer

100%

Version	Status	Scheme	Platform
`[7.6.0,7.6.3]`	affected	semver	—
`[7.4.0,7.4.7]`	affected	semver	—
`[7.2.2,7.2.12]`	affected	semver	—

Fortinet

Fortianalyzercloud

100%

Version	Status	Scheme	Platform
`7.6.2`	affected	semver	—
`[7.4.1,7.4.7]`	affected	semver	—
`[7.2.2,7.2.10]`	affected	semver	—

Fortinet

Fortimanager

100%

Version	Status	Scheme	Platform
`[7.6.0,7.6.3]`	affected	semver	—
`[7.4.0,7.4.7]`	affected	semver	—
`[7.2.2,7.2.12]`	affected	semver	—

Fortinet

Fortimanagercloud

100%

Version	Status	Scheme	Platform
`[7.6.2,7.6.3]`	affected	semver	—
`[7.4.1,7.4.7]`	affected	semver	—
`7.2.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to FortiManager version 7.6.4 or above Upgrade to FortiManager version 7.4.8 or above Upgrade to FortiAnalyzer version 7.6.4 or above Upgrade to FortiAnalyzer version 7.4.8 or above

OpenCVE Recommended Actions

Upgrade FortiAnalyzer to version 7.6.4 or newer, or at a minimum to 7.4.8 or newer to eliminate the flaw.
Upgrade FortiManager to version 7.6.4 or newer, or at a minimum to 7.4.8 or newer to remove the vulnerability.
Where upgrading to the latest releases is not immediately feasible, limit external access to management interfaces, enforce strict MFA policies, and monitor for repeated login attempts to detect potential bypass attempts.

Generated by OpenCVE AI on April 16, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00098.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-26-090

History

Thu, 16 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Title		Authentication Bypass via Crafted Requests on FortiAnalyzer and FortiManager

Fri, 13 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description	An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11, FortiManager Cloud 7.6.0 through 7.6.3, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2.2 through 7.2.10 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.	An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.

Fri, 13 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortinet fortimanager Cloud
CPEs		cpe:2.3:a:fortinet:fortianalyzer:::::::: cpe:2.3:a:fortinet:fortimanager:::::::: cpe:2.3:a:fortinet:fortimanager_cloud::::::::
Vendors & Products		Fortinet fortimanager Cloud

Thu, 12 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description	An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiAnalyzer Cloud 7.6.0 through 7.6.3, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2.2 through 7.2.10, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11, FortiManager Cloud 7.6.0 through 7.6.3, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2.2 through 7.2.10 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.	An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11, FortiManager Cloud 7.6.0 through 7.6.3, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2.2 through 7.2.10 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.
CPEs	cpe:2.3:a:fortinet:fortianalyzercloud:7.2.10:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.2:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.3:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.4:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.5:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.6:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.7:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.8:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.9:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.1:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.2:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.3:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.4:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.5:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.6:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.7:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.6.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.10:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.3:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.4:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.5:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.6:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.7:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.8:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.9:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.1:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.3:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.4:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.5:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.6:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.7:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.6.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.6.3:::::::*

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiAnalyzer Cloud 7.6.0 through 7.6.3, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2.2 through 7.2.10, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11, FortiManager Cloud 7.6.0 through 7.6.3, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2.2 through 7.2.10 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.
First Time appeared		Fortinet Fortinet fortianalyzer Fortinet fortianalyzercloud Fortinet fortimanager Fortinet fortimanagercloud
Weaknesses		CWE-288
CPEs		cpe:2.3:a:fortinet:fortianalyzercloud:7.2.10:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.2:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.3:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.4:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.5:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.6:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.7:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.8:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.2.9:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.1:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.2:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.3:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.4:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.5:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.6:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.4.7:::::::* cpe:2.3:a:fortinet:fortianalyzercloud:7.6.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.10:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.3:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.4:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.5:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.6:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.7:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.8:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.2.9:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.1:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.3:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.4:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.5:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.6:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.4.7:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.6.2:::::::* cpe:2.3:a:fortinet:fortimanagercloud:7.6.3:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.10:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.11:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.12:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.2:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.3:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.4:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.5:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.6:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.7:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.8:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.2.9:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.0:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.1:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.2:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.3:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.4:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.5:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.6:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.4.7:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.6.0:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.6.1:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.6.2:::::::* cpe:2.3:o:fortinet:fortianalyzer:7.6.3:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.10:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.11:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.12:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.2:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.3:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.4:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.5:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.6:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.7:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.8:::::::* cpe:2.3:o:fortinet:fortimanager:7.2.9:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.0:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.1:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.2:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.3:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.4:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.5:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.6:::::::* cpe:2.3:o:fortinet:fortimanager:7.4.7:::::::* cpe:2.3:o:fortinet:fortimanager:7.6.0:::::::* cpe:2.3:o:fortinet:fortimanager:7.6.1:::::::* cpe:2.3:o:fortinet:fortimanager:7.6.2:::::::* cpe:2.3:o:fortinet:fortimanager:7.6.3:::::::*
Vendors & Products		Fortinet Fortinet fortianalyzer Fortinet fortianalyzercloud Fortinet fortimanager Fortinet fortimanagercloud
References		https://fortiguard.fortinet.com/psirt/FG-IR-26-090
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C'}`

Subscriptions

Fortinet Fortianalyzer Fortianalyzercloud Fortimanager Fortimanager Cloud Fortimanagercloud

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2026-03-10T16:44:16.080Z

Updated: 2026-03-13T19:56:38.713Z

Reserved: 2026-01-07T18:30:44.882Z

Link: CVE-2026-22572

Vulnrichment

Updated: 2026-03-10T17:34:33.979Z

NVD

Status : Modified

Published: 2026-03-10T18:18:12.250

Modified: 2026-03-16T14:18:11.980

Link: CVE-2026-22572

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses

CWE-288

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object