A vulnerability (CVE-2026-24017, CVSSv3 7.3) in FortiWeb allows an unauthenticated attacker to bypass authentication rate-limiting via crafted requests, enabling brute-force attacks against admin logins. Affected versions are FortiWeb 8.0.0 through 8.0.2, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The solution is to upgrade to FortiWeb 8.0.3, 7.6.6, 7.4.11, 7.2.12, or 7.0.12 respectively.
PSIRT Authentication rate-limit bypass permits to brute force admin logins Summary An Improper Control of Interaction Frequency vulnerability [CWE-799] in FortiWeb may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity. Version Affected Solution FortiWeb 8.0 8.0.0 through 8.0.2 Upgrade to 8.0.3 or above FortiWeb 7.6 7.6.0 through 7.6.5 Upgrade to 7.6.6 or above FortiWeb 7.4 7.4.0 through 7.4.10 Upgrade to 7.4.11 or above FortiWeb 7.2 7.2.0 through 7.2.11 Upgrade to 7.2.12 or above FortiWeb 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above FortiAppSec Cloud is not impacted by this issue. Acknowledgement Internally discovered and reported by Yanmin Ji of Fortinet Development team. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-082 Published Date Mar 10, 2026 Component GUI Severity High CVSSv3 Score 7.3 Impact Improper access control CVE ID CVE-2026-24017 Download CVRF CSAF