API authentication and authorization bypass Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-26-099 Final 1 1 2026-04-04T00:00:00 Current version 2026-04-04T00:00:00 2026-04-04T00:00:00 An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely. None Escalation of privilege None Fortinet is pleased to thank Simo Kohonen from Defused and Nguyen Duc Anh for reporting this vulnerability under responsible disclosure. FortiClientEMS 7.4.6 FortiClientEMS 7.4.5 CVE-2026-35616 FortiClientEMS-7.4.6 FortiClientEMS-7.4.5 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-26-099 API authentication and authorization bypass Reference>