PSIRT Open Redirection via Import CSV option Summary An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] in FortiNAC-F may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file. Version Affected Solution FortiNAC-F 7.6 7.6.0 through 7.6.5 Upgrade to 7.6.6 or above FortiNAC-F 7.4 7.4 all versions Migrate to a fixed release FortiNAC-F 7.2 7.2 all versions Migrate to a fixed release Acknowledgement Discovered during an independent audit commissioned by Fortinet. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-118 Published Date Apr 14, 2026 Component GUI Severity Low Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 2.2 Impact Execute unauthorized code or commands CVE ID CVE-2026-21741 Download CVRF CSAF