A race condition vulnerability (CVE-2026-22629, CVSSv3 3.4) in FortiManager and FortiAnalyzer allows attackers to bypass brute-force protection by exploiting concurrent authentication attempts. Affected versions include FortiAnalyzer/FortiManager 7.6.0 through 7.6.4, 7.4 all versions, 7.2 all versions, 7.0 all versions, and 6.4 all versions, with corresponding Cloud versions also impacted. The solution is to upgrade to fixed releases such as FortiAnalyzer/FortiManager 7.6.5 or migrate affected older major versions to a fixed release.
PSIRT Authentication Lockout Bypass via Race Condition Summary An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiManager and FortiAnalyzer may allow an attacker to bypass bruteforce protections via exploitation of race conditions. Version Affected Solution FortiAnalyzer 8.0 Not affected Not Applicable FortiAnalyzer 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiAnalyzer 7.4 7.4 all versions Migrate to a fixed release FortiAnalyzer 7.2 7.2 all versions Migrate to a fixed release FortiAnalyzer 7.0 7.0 all versions Migrate to a fixed release FortiAnalyzer 6.4 6.4 all versions Migrate to a fixed release FortiAnalyzer Cloud 8.0 Not affected Not Applicable FortiAnalyzer Cloud 7.6 7.6.2 Upgrade to 7.6.5 or above FortiAnalyzer Cloud 7.4 7.4.1 through 7.4.7 Migrate to a fixed release FortiAnalyzer Cloud 7.2 7.2.1 through 7.2.10 Migrate to a fixed release FortiAnalyzer Cloud 7.0 7.0.1 through 7.0.14 Migrate to a fixed release FortiAnalyzer Cloud 6.4 6.4 all versions Migrate to a fixed release FortiManager 8.0 Not affected Not Applicable FortiManager 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiManager 7.4 7.4 all versions Migrate to a fixed release FortiManager 7.2 7.2 all versions Migrate to a fixed release FortiManager 7.0 7.0 all versions Migrate to a fixed release FortiManager 6.4 6.4 all versions Migrate to a fixed release FortiManager Cloud 8.0 Not affected Not Applicable FortiManager Cloud 7.6 7.6.2 through 7.6.3 Upgrade to 7.6.5 or above FortiManager Cloud 7.4 7.4.1 through 7.4.7 Migrate to a fixed release FortiManager Cloud 7.2 7.2.1 through 7.2.10 Migrate to a fixed release FortiManager Cloud 7.0 7.0.1 through 7.0.14 Migrate to a fixed release FortiManager Cloud 6.4 6.4 all versions Migrate to a fixed release Acknowledgement Discovered during an independent product security audit commissioned by Fortinet. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-079 Published Date Mar 10, 2026 Component GUI Severity Low CVSSv3 Score 3.4 Impact Improper access control CVE ID CVE-2026-22629 Download CVRF CSAF