CVE-2026-22629

Summary

An improper restriction of excessive authentication attempts vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4 all versions, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4 all versions, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4 all versions, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4 all versions, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions, FortiManager Cloud 6.4 all versions may allow an attacker to bypass bruteforce protections via exploitation of race conditions. The latter raises the complexity of practical exploitation.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiAnalyzer7.6.0 <= 7.6.4affected
FortinetFortiAnalyzer7.4.0 <= 7.4.10affected
FortinetFortiAnalyzer7.2.0 <= 7.2.12affected
FortinetFortiAnalyzer7.0.0 <= 7.0.16affected
FortinetFortiAnalyzer6.4.0 <= 6.4.15affected
FortinetFortiManager Cloud7.6.2 <= 7.6.3affected
FortinetFortiManager Cloud7.4.1 <= 7.4.7affected
FortinetFortiManager Cloud7.2.1 <= 7.2.10affected
FortinetFortiManager Cloud7.0.1 <= 7.0.14affected
FortinetFortiManager Cloud6.4.1 <= 6.4.7affected
FortinetFortiAnalyzer Cloud7.6.2affected
FortinetFortiAnalyzer Cloud7.4.1 <= 7.4.7affected
FortinetFortiAnalyzer Cloud7.2.1 <= 7.2.10affected
FortinetFortiAnalyzer Cloud7.0.1 <= 7.0.14affected
FortinetFortiAnalyzer Cloud6.4.1 <= 6.4.7affected
FortinetFortiManager7.6.0 <= 7.6.4affected
FortinetFortiManager7.4.0 <= 7.4.10affected
FortinetFortiManager7.2.0 <= 7.2.12affected
FortinetFortiManager7.0.0 <= 7.0.16affected
FortinetFortiManager6.4.0 <= 6.4.15affected

Weaknesses

  • CWE-307: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References