Changes to signature exceptions may not apply immediately under high traffic. The update takes effect only after a delay or after HA failover. The issue is caused by configuration writer starvation under the current locking mechanism.

Customized column settings in the Attack Log page were not retained when viewing archived log files. Opening logs through Log Management caused the column configuration to revert to default.

FortiWeb generated incorrect event log entries for administrator login failures from untrusted hosts. When multiple administrator accounts were configured with trust host restrictions, the system logged failed login attempts under other valid usernames due to a loop error in the trust host verification logic.

FortiWeb reset HTTP/2 requests when content routing was enabled. Under high HTTP/2 request rates, the Session Management module incorrectly counted individual requests as separate TCP connections, causing the request counter to accumulate and triggering period-block actions. This resulted in unexpected connection resets for all routed hosts.

When the HTTP Header Security (HHS) module was enabled with no rules configured, FortiWeb continued to buffer response data, which caused Server-Sent Events (SSE) responses to be dropped.

FortiWeb allowed the use of weak SSH MAC algorithms umac-128-etm@openssh.com and umac-128@openssh.com. These algorithms have been removed from the supported MAC list to ensure compliance with cryptographic security standards such as PCI DSS.

FortiWeb failed to authenticate administrators using FortiCloud SSO on some appliances with identical firmware. The SAML login process stopped due to missing certificate handling, preventing completion of the FortiCloud SSO flow.

FortiWeb blocked gRPC responses due to incorrect handling of HTTP/2 frame sequences. When a response included headers followed by trailers without an intervening data frame, FortiWeb generated an invalid 0-byte DATA frame with the EndStream flag set, causing the trailing header frame to be dropped and preventing the response from reaching the client.

The proxyd process became unresponsive due to a client-management operation that performed slow Redis writes while holding a lock. This caused the proxy to hang, preventing traffic from being processed until the unit rebooted or failed over.

FortiWeb did not include the Host header when forwarding requests to an ICAP server, causing downstream ICAP systems to receive incomplete contextual information.

FortiWeb returned intermittent HTTP 503 errors when processing multiple HTTP/1.1 requests over the same client connection. If consecutive requests matched different content-routing rules or backend pools, FortiWeb incorrectly reused the previous upstream connection instead of opening a new one, causing routing failures.

OFTP log forwarding did not resume after the connection to FortiAnalyzer was disrupted. The OFTP client failed to re-establish the transport session following events such as a FortiAnalyzer reboot or HA role change, leaving the session in a persistent “not ready” state and causing logs to remain queued rather than forwarded.

FortiWeb did not detect SQL injection payloads embedded inside nested JSON strings. When the SQL expression appeared within an escaped JSON value, the signature engine matched the payload but the False Positive Mitigation (FPM) stage incorrectly classified it as benign, resulting in the attack not being blocked.

When the Login Disclaimer banner is enabled, the GUI becomes inaccessible and returns an ERR_EMPTY_RESPONSE error. The issue occurs due to a null pointer condition during cookie handling in the login disclaimer process.

Important: FIPS users are advised not to upgrade to this release, as the login disclaimer cannot be disabled in FIPS mode. Upgrading under these conditions results in loss of GUI access, leaving only SSH and console access available.

In some deployments using 10-Gbps i40e interfaces, a link-down event on one v-zone member did not propagate to the other port. Although FortiWeb reported the interface as down, the physical link remained active, preventing expected failover behavior. The issue was caused by the i40e driver not bringing down the PHY on interface close. The driver has been updated to ensure v-zone members drop link correctly when any member fails.

Remote administrator logins using RADIUS experienced GUI failures. In HA mode, the secondary unit rejected API calls because the access profile name was not passed correctly, causing the GUI to log out when loading HA Topology. An input-validation error also caused widget actions to fail.

FortiWeb experienced high memory consumption due to a memory leak in proxyd. The module did not release svrnm_sess_hash and associated SNI domain data during SSL context cleanup, causing heap growth over time.

In certain cases, the Web Vulnerability Scan (WVS) runtime directory was initialized in an incorrect filesystem path (/var/log/lib/ rather than /var/log/wvs/). When this occurred, the WVS engine could not locate required working files, resulting in scan-startup failures, template-creation errors, and “Internal Server Error” responses when accessing Web Vulnerability Scan > Scan History.

Report generation could stall at 1% due to a crash in the reportd process when processing Attack Details data.

Intermittent server-to-server communication failures were caused by crashes in the proxyd process. The issue occurred when the Real Browser Enforcement (RBE) module accessed uninitialized or corrupted state from a previous transaction.