FortiTokenAndroid Vulnerability Allows OTP Disclosure via Exported Content Provider
Fortinet disclosed a vulnerability in FortiTokenAndroid where an exported Content Provider URI allows other apps on the same device to read OTP codes, with a CVSS score of 5.0.
Fortinet has disclosed a vulnerability in its FortiTokenAndroid application that could allow other applications on the same device to read one-time password (OTP) codes. The issue, classified under CWE-926 (Improper Export of Android Application Components), stems from an exported Content Provider URI that exposes OTP data to any app installed on the device. The vulnerability carries a CVSSv3 score of 5.0, indicating a moderate severity level.
The affected versions include FortiTokenAndroid 6.2, 6.1, and 5.2, with all versions in those branches considered vulnerable. FortiTokenAndroid 6.4 is not affected. The advisory notes that users should migrate to a fixed release, though no specific patched version number was provided in the initial disclosure. Fortinet credited Renan Dias for reporting the vulnerability.
The impact is limited to local access, meaning an attacker would need to have a malicious app installed on the same Android device as the FortiToken app. However, given that OTP codes are often used as a second factor for sensitive accounts, a local app could potentially intercept these codes and bypass two-factor authentication. This type of vulnerability is particularly concerning in enterprise environments where employees use mobile devices for authentication.
Fortinet has not assigned a CVE-ID to this vulnerability in the advisory, which is unusual for a security issue of this nature. The absence of a CVE may affect tracking and prioritization by security teams. The advisory was published on May 12, 2026, with no mention of active exploitation in the wild.
Users are advised to update their FortiTokenAndroid app to the latest available version from the Google Play Store or Fortinet's official channels. Organizations should also review their mobile device management policies to restrict installation of untrusted apps on devices used for authentication. This disclosure highlights the ongoing challenge of securing mobile applications that handle sensitive authentication data, especially when component export settings are misconfigured.