CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

OTP Disclosure via Exported TokenContentProvider

unknownCVE-2026-44279
CVSSv3 Score: 5.0 An improper export of Android application components [CWE-926] in FortiTokenAndroid may allow other applications on the device to read the OTP code via an exported Content Provider URI. Revised on 2026-05-12 00:00:00

CSIRTS triage

What
An improper export of application components allows other apps to read OTP codes.
Who is affected
Users of FortiTokenAndroid on their devices.
Urgency
Remediation is important to prevent unauthorized access to OTP codes.
Action
Apply patches or restrict access to the affected components.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch FortiTokenAndroid

Get an email when a new FortiTokenAndroid advisory drops — max one per day, one-click unsubscribe.

Details

Source
Fortinet FortiGuard PSIRT (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-05-12
Exploitation
Not in CISA KEV at last sync

Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-130

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-44279coverage & exploitation statusNVD · CVE.org

More from Fortinet FortiGuard PSIRT