FORTINET Security Advisory
Published Date: May 12, 2026
Advisory Summary
⬢ ➤ Critical Security Alert: Improper Access Control in FortiAuthenticator API Endpoints
Fortinet has disclosed a critical security vulnerability in FortiAuthenticator identified as an Improper Access Control issue (CWE-284) with a high CVSSv3 score of 9.1. This flaw permits unauthenticated attackers to send specially crafted requests to API endpoints, potentially executing unauthorized code or commands remotely. Given the severity and exploitability, organizations leveraging FortiAuthenticator should prioritize immediate assessment and remediation to safeguard authentication infrastructures against unauthorized access or control.
- Review Fortinet’s official security bulletin.
- Apply the latest security patches or workarounds provided.
- Monitor API endpoint activity closely for suspicious request patterns.
- Strengthen network segmentation and access controls around the FortiAuthenticator service.
This vulnerability underscores the critical need for robust access control mechanisms in authentication and identity management solutions within enterprise environments.
Reference: Vendor Advisory