Fortinet Warns of SQL Injection Vulnerability in FortiNDR Network Detection and Response Appliances
Fortinet has disclosed an SQL injection vulnerability (FG-IR-26-134, CWE-89) in its FortiNDR network detection and response platform that could allow an authenticated attacker to execute arbitrary SQL commands on backend databases.
Fortinet on May 12, 2026, published a security advisory warning of an SQL injection vulnerability (FG-IR-26-134) affecting multiple versions of its FortiNDR network detection and response appliance. The flaw, classified under CWE-89 with a CVSSv3 score of 5.1, arises from improper neutralization of special elements used in SQL commands. An authenticated attacker can exploit the issue by sending specially crafted HTTP requests to execute arbitrary SQL commands on selected databases and tables, potentially compromising the integrity of stored threat detection data and configurations.
The vulnerable product, FortiNDR, is Fortinet's AI-driven network detection and response solution designed to identify advanced threats, malware, and anomalous network behavior. Deployed primarily in enterprise and critical infrastructure environments, the platform ingests network telemetry and correlates threat intelligence. A successful SQL injection attack could allow an adversary to manipulate detection rules, extract sensitive metadata about network assets, or corrupt stored threat intelligence used by the broader Fortinet Security Fabric.
The following versions are affected: FortiNDR 7.6.0 through 7.6.2, FortiNDR 7.4.0 through 7.4.9, and all versions of FortiNDR 7.2, 7.1, and 7.0. Fortinet has released patches across the supported branches. Customers running FortiNDR 7.6 are advised to upgrade to version 7.6.3 or above. Those on FortiNDR 7.4 should upgrade to version 7.4.10 or above. Users on the older 7.2, 7.1, and 7.0 branches, which have reached end-of-life or limited support, are advised to migrate to a fixed release to fully address the vulnerability.
The advisory notes that the vulnerability was discovered internally by Fortinet researcher Dipanjan Das, meaning no external reports of active exploitation in the wild have been confirmed at the time of publication. Fortinet has not added this issue to CISA's Known Exploited Vulnerabilities (KEV) catalog, nor has public proof-of-concept exploit code been released. However, given that the attack vector requires only authenticated access and crafted HTTP requests, security teams should prioritize patching to prevent potential privilege escalation or data tampering from low-privileged accounts.
This disclosure adds to a steady stream of post-authentication SQL injection flaws found in enterprise appliances, where the line between authenticated and unauthenticated access can blur if weak credential management or default accounts are in use. Organizations running FortiNDR should audit their current version and apply the appropriate update or migration path as outlined in FG-IR-26-134. Network segmentation and strict role-based access controls can serve as compensating controls until patches are fully deployed.