Description
An improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to disclose information via an exported Content Provider URI.
Published: 2026-05-12
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improperly exported Android application components in Fortinet FortiTokenAndroid versions 5.2.x, 6.1.x, and 6.2.x. Because the app exposes a Content Provider URI without adequate access controls, an attacker can resolve the URI and query the provider to reveal sensitive information such as token credentials or other data stored by the app. The flaw permits unauthorized disclosure of data, potentially enabling credential theft or other privileged actions, and is classified as CWE-926.

Affected Systems

Fortinet FortiTokenAndroid on Android devices is affected in all 5.2.x, 6.1.x, and 6.2.x releases. The issue is mitigated by upgrading to version 6.4.0 or newer.

Risk and Exploitability

We rate the severity with a CVSS score of 5, indicating a medium risk. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, implying no known mass exploit. The likely attack vector is via an exported Content Provider URI that can be accessed by a malicious application or by a local attacker with sufficient privileges. The practical exploitability depends on device configuration and the presence of poorly secured third‑party apps, but the risk remains moderate without a publicly known exploit.

Generated by OpenCVE AI on June 26, 2026 at 09:23 UTC.

Remediation

Vendor Solution

Upgrade to FortiTokenAndroid version 6.4.0 or above


OpenCVE Recommended Actions

  • Upgrade FortiTokenAndroid to version 6.4.0 or newer.
  • Ensure that all Android activity, service, and broadcast receiver components in the application are set to exported="false" unless explicitly required, and that intent filters do not expose sensitive functionality.
  • Apply additional access control checks on token provisioning interfaces so that only authenticated and authorized users can invoke token operations.

Generated by OpenCVE AI on June 26, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Title Improper Export of Android Components Allows Unauthorized Access in FortiTokenAndroid

Fri, 26 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via <insert attack vector here> An improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to disclose information via an exported Content Provider URI.

Sat, 16 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet fortitoken Mobile
CPEs cpe:2.3:a:fortinet:fortitoken_mobile:5.2.0:*:*:*:*:android:*:*
cpe:2.3:a:fortinet:fortitoken_mobile:5.2.1:*:*:*:*:android:*:*
cpe:2.3:a:fortinet:fortitoken_mobile:5.2.2:*:*:*:*:android:*:*
cpe:2.3:a:fortinet:fortitoken_mobile:6.1.0:*:*:*:*:android:*:*
cpe:2.3:a:fortinet:fortitoken_mobile:6.2.0:*:*:*:*:android:*:*
Vendors & Products Fortinet fortitoken Mobile

Tue, 12 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Export of Android Components Allows Unauthorized Access in FortiTokenAndroid

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortitokenandroid
Weaknesses CWE-926
CPEs cpe:2.3:a:fortinet:fortitokenandroid:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortitokenandroid:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortitokenandroid:5.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortitokenandroid:6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortitokenandroid:6.2.0:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortitokenandroid
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C'}


Subscriptions

Fortinet Fortitoken Mobile Fortitokenandroid
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-06-26T08:23:24.786Z

Reserved: 2026-05-05T17:24:18.895Z

Link: CVE-2026-44279

cve-icon Vulnrichment

Updated: 2026-05-12T19:02:31.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:30.330

Modified: 2026-06-17T10:50:26.130

Link: CVE-2026-44279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:30:16Z

Weaknesses
  • CWE-926

    Improper Export of Android Application Components