PSIRT SQL injection in jsonrpc api Summary An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiAnalyzer and FortiAnalyzer-BigData API may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests. Version Affected Solution FortiAnalyzer 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiAnalyzer 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiAnalyzer 7.2 7.2 all versions Migrate to a fixed release FortiAnalyzer 7.0 7.0 all versions Migrate to a fixed release FortiAnalyzer 6.4 6.4 all versions Migrate to a fixed release FortiAnalyzer-BigData 7.6 7.6.0 Upgrade to 7.6.1 or above FortiAnalyzer-BigData 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiAnalyzer-BigData 7.2 7.2 all versions Migrate to a fixed release FortiAnalyzer-BigData 7.0 7.0 all versions Migrate to a fixed release FortiAnalyzer-BigData 6.4 6.4 all versions Migrate to a fixed release FortiAnalyzer-BigData 6.2 6.2 all versions Migrate to a fixed release The vulnerability exists only when the JSON API is enabled (Disabled by default) If enabled on a profile, it can be disabled it via the following configuration: config system admin profile edit <profile name> set rpc-permit none end Acknowledgement Discovered by Loic Pantano of Fortinet PSIRT Timeline 2026-03-10: Initial publication References https://docs.fortinet.com/document/fortianalyzer/7.6.3/administration-guide/228363/override-administrator-attributes-from-profiles IR Number FG-IR-26-095 Published Date Mar 10, 2026 Component OTHERS Severity Medium CVSSv3 Score 5.6 Impact Execute unauthorized code or commands CVE ID CVE-2025-49784 Download CVRF CSAF