Critical FortiClient SQL Injection Vulnerability Enables Arbitrary Database Access

FortiClient SQL Injection flaw A serious SQL injection hole in Fortinet's FortiClient Endpoint Management Server (EMS). This serious flaw has a CVSS score of 9.1 and is known as CVE-2026-21643. It lets attackers who aren't logged in run any SQL commands they want and get to sensitive database information.

When multi-tenant mode is on, this problem only happens with FortiClient EMS version 7.4.4. The main reason is a big change to the middleware in version 7.4.4. The way the application connects to databases and routes tenants has changed. During this update, they broke the database connection file by sending the HTTP Site header directly into a PostgreSQL search_path query.

Attackers can get around the intended format string and run their own malicious database queries because the application middleware does not check or clean this header. Also, this weak middleware runs before any checks for authentication. You don't need valid login information to take advantage of this weakness.

Hackers can send a fake web request to the server over HTTPS. Details about the FortiClient SQL Injection Vulnerability Researchers at Bishop Fox found that the /api/v1/init_consts endpoint, which is open to the public, is the best way to attack. Attackers can first check this endpoint to see if the multi-tenant flag is on. If the mode is on, they can send SQL payloads through the Site header.

This specific endpoint does not have protections against brute-force attacks or rate limiting.

More importantly, it sends back PostgreSQL database error messages directly in the body of the HTTP response. This design flaw lets attackers quickly get hidden data using error-based extraction methods in just one request, which is faster than time-based injection. If an attack is successful, the management database is completely compromised.

Attackers can run code on the host operating system from a distance because the database user in the Fortinet virtual machine has PostgreSQL superuser rights. Find out more about the ZeroOwl subscription Email services that are safe Training on how to be aware of security They can also steal passwords from administrators, get digital certificates, and see a full list of all the devices they manage. With this level of access, threat actors can change security policies and spread bad configurations across all of an organization's endpoints.

This fits with the larger trend of going after network edge and management appliances, which threat actors really want. Unusually long response times (5–20+ seconds) on /api/v1/auth/signin or /api/v1/init_consts, as shown in Apache access logs, are signs of a breach. Another sign is getting HTTP 500 responses over and over again from the same IP address on the /api/v1/init_consts endpoint.

Also, database administrators should keep an eye on PostgreSQL error logs for search_path statements that have single quotes, semicolons, or SQL keywords like SELECT. In version 7.4.5, Fortinet fixed this important problem by replacing format-string interpolation with parameterized identifier handling and securely escaping input.

Security firm Bishop Fox says that organizations that use FortiClient EMS 7.4.4 should upgrade to version 7.4.5 right away to lower the risk. If teams can't apply the patch right away, they should turn off the multi-tenant "Sites" feature, which stops the vulnerable code path from being executed. Also, administrators should only allow trusted internal networks to access the EMS management interface on the web.

For daily cybersecurity updates, follow us on LinkedIn and X. Get in touch with us if you want to feature your stories.