What the vulnerability does
01Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
CVSS base score
9.1/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CISA mandated remediation
02CISA Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Key dates
03Disclosure timeline
April 4, 2026
CVE published
April 21, 2026
Record updated
External resources
04References
NVD — National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2026-35616
CWE — Common Weakness Enumeration
https://cwe.mitre.org/data/definitions/284.html
CISA KEV Reference
https://fortiguard.fortinet.com/psirt/FG-IR-26-099
CISA KEV Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-35616
Related vulnerabilities
05Related CVE
CVE-2024-12370 WP Hotel Booking <= 2.1.5 - Missing Authorization
CVE-2026-24668 Open eClass Broken Access Control Allows Students to Add Content to Course Units
CVE-2022-23996
CVE-2021-42116 Unauthorized Menu Item Access in TopEase
CVE-2022-4711 Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Menu Settings Update
