PSIRT MFA Bypass in GUI Summary An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiManager and FortiAnalyzer multifactor authentication may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests. Version Affected Solution FortiAnalyzer 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiAnalyzer 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiAnalyzer 7.2 7.2.2 through 7.2.11 Migrate to a fixed release FortiAnalyzer 6.4 Not affected Not Applicable FortiAnalyzer Cloud 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiAnalyzer Cloud 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiAnalyzer Cloud 7.2 7.2.2 through 7.2.10 Migrate to a fixed release FortiManager 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiManager 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiManager 7.2 7.2.2 through 7.2.11 Migrate to a fixed release FortiManager 6.4 Not affected Not Applicable FortiManager Cloud 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiManager Cloud 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiManager Cloud 7.2 7.2.2 through 7.2.10 Migrate to a fixed release Acknowledgement Discovered during an independent product security audit commissioned by Fortinet. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-090 Published Date Mar 10, 2026 Component GUI Severity Medium CVSSv3 Score 6.8 Impact Improper access control CVE ID CVE-2026-22572 Download CVRF CSAF