Fortinet FortiAuthenticator Vulnerable to Sensitive Data Exposure
A critical out-of-bounds read vulnerability in Fortinet's FortiAuthenticator may allow unauthenticated attackers to access sensitive information.

Fortinet has issued a security advisory detailing an out-of-bounds read vulnerability affecting its FortiAuthenticator product. The flaw, identified as CWE-125, carries a CVSSv3 score of 7.0, indicating a high severity level. This vulnerability could be exploited by a remote, unauthenticated attacker through the submission of a specially crafted network request.
The primary impact of this vulnerability is the potential for unauthorized access to sensitive information stored within the FortiAuthenticator system. Attackers could leverage this to gather credentials, configuration details, or other proprietary data, which could then be used for further network compromise or espionage. The exploitability via a network request means that an attacker does not need direct access to the device or internal network segments, significantly broadening the attack surface.
Fortinet has provided specific version information regarding the affected products. FortiAuthenticator versions 6.6.0 through 6.6.2 are confirmed to be vulnerable. Additionally, versions 6.5.0 through 6.5.7 of the 6.5 release branch are also impacted. FortiAuthenticator version 8.0 is noted as not affected by this particular vulnerability.
To mitigate the risk posed by this flaw, Fortinet recommends that users upgrade their affected FortiAuthenticator instances. For those running version 6.6, the upgrade path is to version 6.6.3 or any later release. Users on the 6.5 branch should upgrade to the upcoming 6.5.8 release or a subsequent version. These updates are expected to contain the necessary patches to address the out-of-bounds read vulnerability.
The vulnerability was discovered and reported responsibly by Jonathan Bailey and Jon Kraft from Business Communications, Inc. (BCI). Fortinet has acknowledged their contribution, highlighting the importance of responsible disclosure in the cybersecurity ecosystem. The timeline indicates that the advisory was first published on July 14, 2026, suggesting that patches may have been available around this date or shortly thereafter.
This incident underscores the ongoing security challenges faced by network authentication and access management solutions. As these systems become more complex and integrated into enterprise infrastructures, vulnerabilities that allow for sensitive data exposure can have far-reaching consequences. Organizations relying on FortiAuthenticator should prioritize applying the recommended updates to safeguard their network security posture and prevent potential data breaches.