Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN163
_____________________________________________________________________

DATE                : 13/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiAuthenticator versions
                                 prior to 6.6.7.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-25-528
_____________________________________________________________________

Missing authorization on CSV user import

Summary

A missing authorization vulnerability [CWE-862] in FortiAuthenticator
may allow a read-only admin to make modification to local users via a
file upload to an unprotected endpoint.


Version         Affected         Solution

FortiAuthenticator 8.0    Not affected         Not Applicable
FortiAuthenticator 6.6   6.6.0 through 6.6.6   Upgrade to 6.6.7 or
                                                     above
FortiAuthenticator 6.5  6.5 all versions   Migrate to a fixed release
FortiAuthenticator 6.4  6.4 all versions   Migrate to a fixed release
FortiAuthenticator 6.3  6.3 all versions   Migrate to a fixed release


Acknowledgement
Discovered during an independent audit commissioned by Fortinet.


Timeline
2026-02-10: Initial publication
IR Number         FG-IR-25-528
Published Date         Feb 10, 2026
Component         GUI
Severity         Medium
CVSSv3 Score         6.8
Impact         Improper access control
CVE ID         CVE-2026-21743
Download        

CVRF

CSAF
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================