FortiPortal - Insufficient Access Control over API endpoints


An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting FortiPortal may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.

Version Affected Solution
FortiPortal 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiPortal 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiPortal 6.0 6.0 all versions Migrate to a fixed release
FortiPortal 5.3 5.3 all versions Migrate to a fixed release


Fortinet is pleased to thank Saravanan Ramanathan and Surbhi Roy from Vodafone for reporting this vulnerability under responsible disclosure.


2023-12-19: Initial publication
2024-03-05: Acknowledgement update