High severity7.5NVD Advisory· Published Apr 14, 2026· Updated May 6, 2026

CVE-2026-23708

Description

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.

Affected products

Fortinet/Fortisoarinferred2 versions
>=7.6.0,<7.6.4+ 1 more
- (no CPE)range: >=7.6.0,<7.6.4
- cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:*range: >=7.5.0,<7.5.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fortiguard.fortinet.com/psirt/FG-IR-26-101nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000