2FA request can be replayed without a valid token after one successful request Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-26-101 Final 1 1 2026-04-14T00:00:00 Current version 2026-04-14T00:00:00 2026-04-14T00:00:00 An Improper authentication vulnerability [CWE-287] in FortiSOAR web GUI may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration. None Escalation of privilege None Internally discovered and reported by Leslie Zhou of Fortinet PSIRT team. FortiSOAR PaaS 7.6.3 FortiSOAR PaaS 7.6.2 FortiSOAR PaaS 7.6.1 FortiSOAR PaaS 7.6.0 FortiSOAR PaaS 7.5.2 FortiSOAR PaaS 7.5.1 FortiSOAR PaaS 7.5.0 FortiSOAR on-premise 7.6.3 FortiSOAR on-premise 7.6.2 FortiSOAR on-premise 7.6.1 FortiSOAR on-premise 7.6.0 FortiSOAR on-premise 7.5.2 FortiSOAR on-premise 7.5.1 FortiSOAR on-premise 7.5.0 CVE-2026-23708 FortiSOAR PaaS-7.6.3 FortiSOAR PaaS-7.6.2 FortiSOAR PaaS-7.6.1 FortiSOAR PaaS-7.6.0 FortiSOAR PaaS-7.5.2 FortiSOAR PaaS-7.5.1 FortiSOAR PaaS-7.5.0 FortiSOAR on-premise-7.6.3 FortiSOAR on-premise-7.6.2 FortiSOAR on-premise-7.6.1 FortiSOAR on-premise-7.6.0 FortiSOAR on-premise-7.5.2 FortiSOAR on-premise-7.5.1 FortiSOAR on-premise-7.5.0 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-26-101 2FA request can be replayed without a valid token after one successful request Reference>