HTTP Response Splitting in Fortinet FortiOS and FortiProxy
CVE-2025-62826

3.1LOW

Key Information:

Vendor

Fortinet

Vendor
CVE Published:
14 July 2026

What is CVE-2025-62826?

This vulnerability allows an attacker to intercept and alter a user's authentication request on a captive portal by injecting malicious HTTP headers through specially crafted requests. The flaw is rooted in an improper neutralization of CRLF sequences, potentially leading to exploitation and security breaches in affected versions of FortiOS and FortiProxy.

Affected Version(s)

FortiOS 7.6.0 <= 7.6.2

FortiOS 7.4.0 <= 7.4.8

FortiOS 7.2.0 <= 7.2.13

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.