FortiOS 7.6.0-7.6.4 LDAP Auth Bypass via Agentless VPN/FSSO
CVE-2026-22153 Published on February 10, 2026
An Authentication Bypass by Primary Weakness vulnerability [CWE-305] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4 may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, when the remote LDAP server is configured in a specific way.
Vulnerability Analysis
CVE-2026-22153 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Products Associated with CVE-2026-22153
Want to know whenever a new CVE is published for Fortinet FortiOS? stack.watch will email you.
Affected Versions
Fortinet FortiOS:- Version 7.6.0, <= 7.6.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.