CVE-2026-23708

CVE Database · CVE-2026-23708

CVE-2026-23708

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

0.28%

Published

Apr 14, 2026

Modified

May 6, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-287CWE-862

Affected Products (2)

fortinet · fortisoar (up to 7.5.3)vulnerable

fortinet · fortisoar (up to 7.6.4)vulnerable

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-26-101

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs