Description
A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here>
Published: 2026-06-09
Score: 6.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control flaw in Fortinet FortiPortal versions 7.0, 7.2, and 7.4 that allows an attacker to gain unauthorized access to privileged functions or data, potentially compromising confidentiality and integrity. The weakness is identified as CWE‑284. The scenario may lead to an attacker manipulating portal settings, viewing sensitive information, or performing actions reserved for authenticated administrators.

Affected Systems

Affected systems include all FortiPortal installations running the earlier releases: 7.0.0 through 7.0.14, 7.2.0 through 7.2.8, and 7.4.0 through 7.4.7. If an environment uses any of these versions, the vulnerability is present. The most recent fixed releases are 7.4.8 and 7.2.9, which contain the necessary remediation.

Risk and Exploitability

The CVSS score of 6.2 places this vulnerability in the medium severity range, and its EPSS score is currently not available, so the immediate exploitation risk is uncertain but the lack of KEV listing reduces the expectation of widespread attacks. Attackers would need network or web access to the FortiPortal instance; based on the description, the likely vector is via the administrative interface or underlying web services.

Generated by OpenCVE AI on June 9, 2026 at 16:22 UTC.

Remediation

Vendor Solution

Upgrade to FortiPortal version 7.4.8 or above Upgrade to upcoming FortiPortal version 7.2.9 or above

OpenCVE Recommended Actions

  • Upgrade to FortiPortal version 7.4.8 or later
  • Upgrade to FortiPortal version 7.2.9 or later
  • Until the upgrade can be performed, block external access to the FortiPortal management interfaces using firewall rules or network segmentation

Generated by OpenCVE AI on June 9, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Improper Access Control in FortiPortal Allowing Unauthorized Access

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortiportal
Weaknesses CWE-284
CPEs cpe:2.3:a:fortinet:fortiportal:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.12:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.13:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.14:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.2.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiportal:7.4.7:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortiportal
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C'}

Subscriptions

Fortinet Fortiportal
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-06-09T15:36:59.170Z

Reserved: 2026-06-02T15:05:18.629Z

Link: CVE-2026-49938

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T16:16:43.323

Modified: 2026-06-09T19:30:24.713

Link: CVE-2026-49938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:30:08Z

Weaknesses