User-Controlled HTTP Header Vulnerability in Fortra's GoAnywhere MFT
CVE-2026-1089

6.5MEDIUM

Key Information:

Vendor: Fortra
Status: Goanywhere Mft
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-1089?

A vulnerability in Fortra's GoAnywhere MFT prior to version 7.10.0 allows users to control HTTP headers. This can lead to an attacker triggering a DNS lookup and exploiting DNS rebinding techniques to gain unauthorized access to sensitive information. Proper validation of HTTP headers is crucial to prevent such attacks and safeguard sensitive data.

Affected Version(s)

GoAnywhere MFT 0 < 7.10.0

References

https://www.fortra.com/security/advisories/product-securi...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-1089 Data

JSON