An authenticated SQL injection vulnerability (CVE-2026-39809, CVSSv3 7.1) in FortiClientEMS allows attackers to execute arbitrary SQL queries via crafted requests. Affected versions are FortiClientEMS 7.4.0 through 7.4.5, 7.2.0 through 7.2.12, and all versions of 7.0. The remediation requires upgrading to version 7.4.6 or 7.2.13 respectively, while 7.0 users must migrate to a fixed release.
PSIRT Multiple SQL Injections Summary An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an authenticated attacker to run arbitrary SQL queries on the database via sending crafted requests. Version Affected Solution FortiClientEMS 7.4 7.4.0 through 7.4.5 Upgrade to 7.4.6 or above FortiClientEMS 7.2 7.2.0 through 7.2.12 Upgrade to 7.2.13 or above FortiClientEMS 7.0 7.0 all versions Migrate to a fixed release Fortinet remediated this issue in FortiClient Cloud and hence customers do not need to perform any action. Fortinet remediated this issue in FortiSASE and hence customers do not need to perform any action. Acknowledgement Internally discovered and reported by David Maciejak, Gwendal Guegniaud, Loic Pantano of Fortinet Product Security team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-102 Published Date Apr 14, 2026 Component CLI Severity High Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 7.1 Impact Execute unauthorized code or commands CVE ID CVE-2026-39809 Download CVRF CSAF