{"api_version":"1","generated_at":"2026-04-23T10:42:22+00:00","cve":"CVE-2023-26209","urls":{"html":"https://cve.report/CVE-2023-26209","api":"https://cve.report/api/cve/CVE-2023-26209.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-26209","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-26209"},"summary":{"title":"CVE-2023-26209","description":"A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiDeceptor 3.1.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.","state":"PUBLIC","assigner":"psirt@fortinet.com","published_at":"2023-03-09 15:15:00","updated_at":"2023-11-07 04:09:00"},"problem_types":["CWE-307"],"metrics":[],"references":[{"url":"https://fortiguard.com/psirt/FG-IR-20-078","name":"https://fortiguard.com/psirt/FG-IR-20-078","refsource":"MISC","tags":[],"title":"PSIRT Advisories | FortiGuard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-26209","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26209","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"26209","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortideceptor","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-26209","ASSIGNER":"psirt@fortinet.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiDeceptor 3.1.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Denial of service","cweId":"CWE-307"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Fortinet","product":{"product_data":[{"product_name":"FortiDeceptor","version":{"version_data":[{"version_affected":"<=","version_name":"3.1.0","version_value":"3.1.1"},{"version_affected":"<=","version_name":"3.0.0","version_value":"3.0.2"},{"version_affected":"=","version_value":"2.1.0"},{"version_affected":"=","version_value":"2.0.0"},{"version_affected":"=","version_value":"1.1.0"},{"version_affected":"<=","version_name":"1.0.0","version_value":"1.0.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://fortiguard.com/psirt/FG-IR-20-078","refsource":"MISC","name":"https://fortiguard.com/psirt/FG-IR-20-078"}]},"solution":[{"lang":"en","value":"Please upgrade to FortiAuthenticator version 6.5.0 or above,\nPlease upgrade to FortiDeceptor version 3.2.0 or above.\nPlease upgrade to FortiMail version 6.4.1 or above,\r\nPlease upgrade to FortiMail version 6.2.5 or above,\r\nPlease upgrade to FortiMail version 6.0.10 or above."}],"impact":{"cvss":[{"version":"3.1","attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:X"}]}},"nvd":{"publishedDate":"2023-03-09 15:15:00","lastModifiedDate":"2023-11-07 04:09:00","problem_types":["CWE-307"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"3.2.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}