VYPR
advisoryPublished Jul 14, 2026· 1 source

Fortinet Devices Vulnerable to HTTP Response Splitting via Captive Portal

FortiOS and FortiProxy captive portals are susceptible to an HTTP Response Splitting vulnerability that allows attackers to inject arbitrary headers.

Fortinet has disclosed a critical vulnerability affecting the captive portal authentication forms in its FortiOS and FortiProxy products. The flaw, identified as an Improper Neutralization of CRLF Sequences in HTTP Headers (CWE-113), also known as HTTP Response Splitting, could allow an attacker to inject arbitrary HTTP headers into responses.

This vulnerability specifically targets the authentication process within the captive portal, a common feature used to redirect users to a login page before granting network access. An attacker with the ability to intercept and modify network traffic between a user and the captive portal could exploit this flaw. By crafting malicious HTTP requests, they could inject headers that manipulate the server's response, potentially leading to various security issues.

The CVSSv3 score for this vulnerability is rated at 3.1, indicating a low severity. However, the potential for header injection can be a stepping stone for more complex attacks, especially in environments where captive portals are used for initial network access control. The ability to inject headers could be leveraged to bypass security controls, redirect users to malicious sites, or potentially facilitate other forms of web-based attacks.

Fortinet has provided specific version information for affected products. FortiOS versions 7.6.0 through 7.6.4 and all versions of FortiOS 7.4 and 7.2 are impacted. Similarly, for FortiProxy, versions 7.6.0 through 7.6.4 and all versions of 7.4 and 7.2 are affected. FortiOS 8.0 is noted as not affected.

To address this vulnerability, Fortinet recommends upgrading to FortiOS 7.6.5 or later for affected 7.6 versions. For versions 7.4 and 7.2 of both FortiOS and FortiProxy, users are advised to migrate to a fixed release, with Fortinet providing an upgrade tool to assist customers in navigating their upgrade paths.

The vulnerability was responsibly disclosed by Vang3lis from VARAS@IIE. Fortinet has published the advisory on July 14, 2026, marking the initial publication date for this security issue.

While the CVSS score is low, administrators should prioritize patching these devices, especially those exposed to untrusted networks where captive portals are in use. The ease of interception and modification of traffic in such scenarios makes this a practical threat that requires prompt attention to prevent potential misuse.

Synthesized by Vypr AI