{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0971", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2026-01-14T22:56:32.772Z", "datePublished": "2026-04-21T14:14:23.423Z", "dateUpdated": "2026-04-21T19:26:58.470Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:14:23.423Z"}, "title": "GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-613", "description": "CWE-613 Insufficient session expiration", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "platforms": ["Windows", "MacOS", "Linux"], "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page."}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/fi-2025-013"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Update to version 7.10.0 or higher of GoAnywhere MFT", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update to version 7.10.0 or higher of GoAnywhere MFT"}]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:26:48.832583Z", "id": "CVE-2026-0971", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:26:58.470Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0971", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:26:48.832583Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:26:53.216Z"}}], "cna": {"title": "GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "lessThan": "7.10.0", "versionType": "semver"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to version 7.10.0 or higher of GoAnywhere MFT", "supportingMedia": [{"type": "text/html", "value": "Update to version 7.10.0 or higher of GoAnywhere MFT", "base64": false}]}], "references": [{"url": "https://fortra.com/security/advisories/product-security/fi-2025-013"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.", "supportingMedia": [{"type": "text/html", "value": "An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient session expiration"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2026-04-21T14:14:23.423Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0971", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:26:58.470Z", "dateReserved": "2026-01-14T22:56:32.772Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2026-04-21T14:14:23.423Z", "assignerShortName": "Fortra"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page."}], "id": "CVE-2026-0971", "lastModified": "2026-04-21T16:20:24.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}, "published": "2026-04-21T15:16:35.717", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "url": "https://fortra.com/security/advisories/product-security/fi-2025-013"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GoAnywhere MFT", "source": "cna", "vendor": "Fortra"}, "product": "goanywhere_mft", "vendor": "fortra"}], "analysis": {"en": {"generated_at": "2026-04-22T06:46:52.175219+00:00", "value": {"mitigation_remediation": ["Upgrade GoAnywhere MFT to version 7.10.0 or later.", "Verify that expired SAML sessions redirect to the SAML login page instead of the standard login page.", "Perform functional tests to ensure that session timeouts no longer present the regular login interface."], "summary": {"action": "Apply Patch", "impact": "SAML session redirection to standard login on timeout, undermining SSO flow"}, "threat_synthesis": {"affected_systems": "All releases of Fortra:GoAnywhere MFT older than version 7.10.0 that are configured for SAML authentication.", "description_and_impact": "An improper session timeout in Fortra\u2019s GoAnywhere MFT causes web users configured with SAML authentication to be redirected to the standard login page instead of the SAML login page when a session ends. This misdirects the expected single\u2011sign\u2011on flow and may allow a user or attacker to authenticate via the regular login interface. Based on the description, it is inferred that this could enable access to the application using a non\u2011SAML authentication path, but the vulnerability does not provide direct code execution or sensitive data exposure.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low\u2011to\u2011medium severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web\u2011application based, inferred from the session\u2011timeout behavior described. Exploitation would require an attacker to observe a user\u2019s SAML session when it times out and then use the standard login page to attempt authentication."}}}}, "created": "2026-04-22T07:00:12.119528+00:00", "updated": "2026-04-22T11:46:28.269045+00:00", "vendors": ["fortra", "fortra$PRODUCT$goanywhere_mft"]}