Fortinet Discloses SQL Injection Vulnerability in FortiAnalyzer and FortiManager
Fortinet has disclosed an SQL injection vulnerability affecting FortiAnalyzer, FortiManager, and their cloud variants, allowing authenticated privileged attackers to execute unauthorized code or commands.
Fortinet has disclosed a critical SQL injection vulnerability (CWE-89) in its FortiAnalyzer and FortiManager product lines, including their cloud-hosted counterparts. The flaw, tracked as FG-IR-26-111, allows an authenticated privileged attacker to execute unauthorized code or commands via crafted requests sent to the JSON RPC API. The vulnerability carries a CVSSv3 score of 6.8, indicating a medium-to-high severity risk for affected deployments.
The vulnerability stems from improper neutralization of special elements used in SQL commands, a classic injection flaw that can be exploited when an attacker with administrative access sends specially crafted API calls. While the attacker must already have privileged access, successful exploitation could lead to full database compromise, data exfiltration, or lateral movement within the network. The affected products are widely used for log management, analytics, and centralized network device management in enterprise environments.
Fortinet's advisory lists multiple affected versions across FortiAnalyzer 7.6, 7.4, 7.2, and 7.0, as well as FortiManager 7.6, 7.4, 7.2, and 7.0. The cloud variants of both products are similarly impacted. Versions 6.4 of both products are not affected. The company has released patches for the latest supported branches, with upgrades to FortiAnalyzer 7.6.5, FortiManager 7.6.5, and their cloud equivalents resolving the issue. For older branches (7.2 and 7.0), Fortinet recommends migrating to a fixed release.
The vulnerability was internally discovered and reported by David Maciejak of Fortinet's Product Security team, meaning there is no evidence of active exploitation in the wild at the time of disclosure. However, given the privileged access required, the flaw is less likely to be exploited in mass attacks but could be leveraged in targeted campaigns against organizations already compromised. Fortinet has not added this vulnerability to CISA's Known Exploited Vulnerabilities (KEV) catalog.
This disclosure follows a pattern of SQL injection vulnerabilities in Fortinet products, including recent advisories for FortiNDR and FortiMail. The company has been proactive in patching these issues, but the recurrence highlights the challenge of securing complex API surfaces in enterprise management platforms. Organizations using FortiAnalyzer or FortiManager should prioritize upgrading to the fixed versions to mitigate the risk of privilege escalation or data compromise.
The advisory was published on April 14, 2026, with no workarounds provided beyond upgrading. Fortinet recommends that customers review their current version and apply the appropriate patch or migration path as soon as possible. Given the sensitive nature of the data these products handle—including logs, configuration backups, and network analytics—delaying the patch could expose organizations to significant operational and security risks.