CVE-2026-0971 Overview
An improper session timeout vulnerability exists in Fortra's GoAnywhere MFT prior to version 7.10.0. This security flaw affects the SAML authentication mechanism, causing Web Users configured for SAML authentication to be redirected to the regular login page instead of the SAML login page after session timeout. This behavior may allow attackers to capture user credentials through the alternate authentication flow or enable potential session confusion attacks.
Critical Impact
SAML-configured users may inadvertently enter credentials into the standard login form, potentially exposing authentication data to unauthorized capture or enabling authentication bypass scenarios.
Affected Products
- Fortra GoAnywhere Managed File Transfer versions prior to 7.10.0
- GoAnywhere MFT deployments using SAML authentication for Web Users
- Enterprise file transfer environments with SAML/SSO integration
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-0971 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-0971
Vulnerability Analysis
This vulnerability is classified as CWE-613 (Insufficient Session Expiration), which relates to improper session timeout handling in web applications. The issue occurs when a SAML-authenticated user's session expires in GoAnywhere MFT. Instead of redirecting the user back to the configured SAML Identity Provider (IdP) for re-authentication, the application incorrectly routes the user to the standard GoAnywhere login page.
This misbehavior creates a security gap in environments that rely on SAML for centralized authentication and access control. Users accustomed to single sign-on may not notice the discrepancy and could enter credentials directly into the standard form, potentially undermining the security benefits of federated authentication.
Root Cause
The root cause of CVE-2026-0971 is improper session state management in the GoAnywhere MFT web application. When handling session timeout events, the application fails to properly preserve the user's authentication context, specifically whether the user originally authenticated via SAML. Without this context, the session timeout handler defaults to redirecting users to the standard login page rather than invoking the SAML re-authentication flow.
Attack Vector
The attack vector for this vulnerability is network-based and requires user interaction. An attacker could potentially exploit this vulnerability through the following scenarios:
Credential Harvesting: In a phishing scenario, an attacker could craft conditions that force session timeouts, leading users to enter credentials on the standard login page where they may be more susceptible to credential theft.
Authentication Confusion: Users may bypass SAML-enforced security policies (such as multi-factor authentication at the IdP level) by authenticating directly through the standard login page if local authentication is also enabled.
Session State Manipulation: Attackers with network access could potentially influence session timeout behavior to force users into the vulnerable authentication flow.
The vulnerability manifests in the session management layer of GoAnywhere MFT. When a SAML user's session expires, the application should preserve the authentication context and redirect to the appropriate SAML IdP. Instead, the context is lost, and users see the standard credential form. For detailed technical information, see the Fortra Security Advisory.
Detection Methods for CVE-2026-0971
Indicators of Compromise
- Unexpected standard login page appearances for users configured with SAML authentication
- Authentication logs showing SAML users authenticating via local credentials
- Session timeout events followed by non-SAML authentication attempts from the same user
- User reports of being directed to the wrong login page after idle sessions
Detection Strategies
- Monitor authentication logs for discrepancies between configured authentication methods and actual login types
- Implement alerting for SAML-configured users who successfully authenticate via standard login forms
- Review web application logs for session timeout events followed by incorrect redirect patterns
- Deploy network monitoring to detect anomalous authentication flow patterns
Monitoring Recommendations
- Enable detailed authentication logging in GoAnywhere MFT to capture authentication method metadata
- Configure SIEM rules to correlate session timeout events with subsequent authentication method changes
- Implement user behavior analytics to detect unusual authentication patterns for SAML-configured accounts
- Monitor for increased standard login attempts from users who should exclusively use SAML
How to Mitigate CVE-2026-0971
Immediate Actions Required
- Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later immediately
- Review authentication logs for evidence of SAML users authenticating via standard login
- Consider temporarily disabling standard login for SAML-configured users if the upgrade cannot be immediately applied
- Notify users about the vulnerability and instruct them to verify they are on the correct SAML login page
Patch Information
Fortra has addressed this vulnerability in GoAnywhere MFT version 7.10.0. Organizations running affected versions should upgrade to this version or later as soon as possible. The patch corrects the session timeout handling to properly preserve SAML authentication context and redirect users to the appropriate SAML Identity Provider for re-authentication. Detailed patch information is available in the Fortra Security Advisory.
Workarounds
- Disable local authentication for SAML-configured user accounts to prevent credential entry on the standard login page
- Implement network-level controls to block access to the standard login endpoint for SAML-only users
- Configure shorter session timeouts to reduce the window of exposure while waiting for patch deployment
- Train users to recognize and report unexpected authentication page redirects
# Configuration example - Disable local authentication for SAML users
# This configuration should be applied in GoAnywhere MFT admin console
# Navigate to Users > Web Users > [User] > Authentication Settings
# Set "Allow Local Authentication" to "No" for SAML-configured users
#
# Alternatively, configure via CLI if available:
# goanywhere config set auth.saml.users.local_auth_enabled=false
# goanywhere service restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
