{"api_version":"1","generated_at":"2026-04-23T06:21:02+00:00","cve":"CVE-2026-0971","urls":{"html":"https://cve.report/CVE-2026-0971","api":"https://cve.report/api/cve/CVE-2026-0971.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-0971","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-0971"},"summary":{"title":"GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout","description":"An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.","state":"PUBLISHED","assigner":"Fortra","published_at":"2026-04-21 15:16:35","updated_at":"2026-04-21 16:20:24"},"problem_types":["CWE-613","CWE-613 CWE-613 Insufficient session expiration"],"metrics":[{"version":"3.1","source":"df4dee71-de3a-4139-9588-11b62fe6c0ff","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://fortra.com/security/advisories/product-security/fi-2025-013","name":"https://fortra.com/security/advisories/product-security/fi-2025-013","refsource":"df4dee71-de3a-4139-9588-11b62fe6c0ff","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-0971","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0971","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Fortra","product":"GoAnywhere MFT","version":"affected 7.10.0 semver","platforms":["Windows","MacOS","Linux"]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update to version 7.10.0 or higher of GoAnywhere MFT","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"971","cve":"CVE-2026-0971","epss":"0.000280000","percentile":"0.081010000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows","MacOS","Linux"],"product":"GoAnywhere MFT","vendor":"Fortra","versions":[{"lessThan":"7.10.0","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page."}],"value":"An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-613","description":"CWE-613 Insufficient session expiration","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-21T14:14:23.423Z","orgId":"df4dee71-de3a-4139-9588-11b62fe6c0ff","shortName":"Fortra"},"references":[{"url":"https://fortra.com/security/advisories/product-security/fi-2025-013"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to version 7.10.0 or higher of GoAnywhere MFT"}],"value":"Update to version 7.10.0 or higher of GoAnywhere MFT"}],"source":{"discovery":"UNKNOWN"},"title":"GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"df4dee71-de3a-4139-9588-11b62fe6c0ff","assignerShortName":"Fortra","cveId":"CVE-2026-0971","datePublished":"2026-04-21T14:14:23.423Z","dateReserved":"2026-01-14T22:56:32.772Z","dateUpdated":"2026-04-21T14:14:23.423Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-21 15:16:35","lastModifiedDate":"2026-04-21 16:20:24","problem_types":["CWE-613","CWE-613 CWE-613 Insufficient session expiration"],"metrics":{"cvssMetricV31":[{"source":"df4dee71-de3a-4139-9588-11b62fe6c0ff","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"971","Ordinal":"1","Title":"GoAnywhere MFT SAML Sessions do not redirect to logout URL on se","CVE":"CVE-2026-0971","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"971","Ordinal":"1","NoteData":"An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.","Type":"Description","Title":"GoAnywhere MFT SAML Sessions do not redirect to logout URL on se"}]}}}