CVE-2026-0971 PUBLISHED

GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout

Assigner: Fortra
Reserved: 14.01.2026 Published: 21.04.2026 Updated: 21.04.2026

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Fortra
Product	GoAnywhere MFT
Versions	Default: unaffected affected from 0 to 7.10.0 (excl.)

Solutions

Update to version 7.10.0 or higher of GoAnywhere MFT

References

https://fortra.com/security/advisories/product-security/fi-2025-013

Problem Types

CWE-613 Insufficient session expiration CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs