Critical FortiClient EMS flaw lets attackers reach the database without logging in

A critical vulnerability in Fortinet FortiClient Endpoint Management Server (EMS) can let an unauthenticated attacker send crafted HTTP requests and execute unauthorized code or commands. The issue is tracked as CVE-2026-21643, and Fortinet says it affects FortiClient EMS 7.4.4, with 7.4.5 or later fixing the problem.

The risk is highest for organizations running FortiClient EMS 7.4.4 with multi-tenant mode enabled. Research from Bishop Fox says the flaw sits in the way the product handles the Site header before authentication, which can expose the backend PostgreSQL database to SQL injection.

Fortinet’s advisory describes the bug as an SQL injection issue that may allow an unauthenticated attacker to execute unauthorized code or commands through specially crafted HTTP requests. The vendor’s affected-version matrix says FortiClient EMS 8.0 is not affected, FortiClient EMS 7.2 is not affected, and FortiClient EMS 7.4.4 should be upgraded to 7.4.5 or above.

Why this FortiClient EMS bug matters

FortiClient EMS works as a central management server for endpoint deployments, policies, and device oversight. If attackers gain access to the management database, they may be able to reach administrator credentials, endpoint inventory data, security policies, and certificates tied to managed endpoints, according to Bishop Fox’s technical analysis.

That makes this more than a routine software bug. A breach at the EMS layer can give attackers visibility into how endpoints are managed across an organization, and in some cases it may open the door to deeper compromise. Fortinet’s own advisory says the flaw may allow unauthorized code or commands, while Bishop Fox says full management database access is possible on vulnerable multi-tenant deployments.

What researchers found

Bishop Fox says the vulnerable code path appears in FortiClient EMS 7.4.4 after a refactoring of middleware and database connection handling. In that version, the Site header can flow into the PostgreSQL search_path logic without proper sanitization. The researchers say this happens before authentication checks, which is why the attack does not require valid login credentials.

The researchers also identified a particularly useful endpoint for exploitation: GET /api/v1/init_consts. Their testing says this endpoint can reveal whether multi-tenant mode is enabled through the SITES_ENABLED value, and it can also be used as a practical attack vector because it does not require authentication and returns database errors in the HTTP response body.

In lab testing, Bishop Fox found two injectable pre-authentication endpoints: POST /api/v1/auth/signin and GET /api/v1/init_consts. The second one stood out because it had no brute-force lockout and exposed PostgreSQL error details, which made rapid error-based data extraction easier.

Affected versions at a glance

Source: Fortinet PSIRT advisory and Fortinet release notes.

How the attack can work

According to Bishop Fox, an attacker who can reach the EMS web interface over HTTPS can first query /api/v1/init_consts to check whether multi-tenant mode is turned on. If it is, the attacker can try SQL injection through the Site header on pre-authentication endpoints.

The same research says the login endpoint has brute-force protection, but init_consts does not. That makes the public constants endpoint the more practical target in real-world conditions, especially because it can leak database errors directly in HTTP 500 responses.

Fortinet has not publicly said the flaw is under active exploitation in its advisory. Still, the combination of no authentication, network exposure, and access to a management platform makes this a patch-now issue for any team still on the affected build.

What admins should do now

The main fix is straightforward. Upgrade FortiClient EMS 7.4.4 to 7.4.5 or later as soon as possible. Fortinet’s release notes for 7.4.5 explicitly state that the version is no longer vulnerable to CVE-2026-21643.

If patching cannot happen immediately, Bishop Fox recommends reducing exposure by limiting HTTPS access to the EMS web GUI to authorized management networks only. The researchers also say disabling the multi-tenant Sites feature can eliminate the reachable attack surface when that feature is not required.

Security teams should also look for signs of probing or exploitation. Bishop Fox says unusually long response times on pre-authentication endpoints such as /api/v1/auth/signin or /api/v1/init_consts, repeated HTTP 500 responses on init_consts, and rapid repeated requests from the same source IP can all be useful warning signs.

Key takeaways

• CVE-2026-21643 is a critical FortiClient EMS SQL injection flaw.
• Fortinet says FortiClient EMS 7.4.4 is affected, while 7.4.5 fixes the issue.
• The risk centers on multi-tenant deployments where the Site header can reach database logic before authentication.
• Bishop Fox identified /api/v1/init_consts as the most practical pre-authentication attack path.
• Restricting EMS web access and disabling multi-tenant mode can reduce risk until patching is complete.

FAQ