Fortinet Discloses Cleartext Credential Exposure in FortiSOAR API Responses
Fortinet has disclosed a cleartext transmission vulnerability in FortiSOAR that could allow authenticated attackers to view passwords in API responses for Secure Message Exchange and Radius queries.
Fortinet has disclosed a cleartext transmission vulnerability in its FortiSOAR security orchestration, automation, and response (SOAR) platform. Tracked as FG-IR-26-106, the flaw (CWE-319) carries a CVSS score of 6.2 and affects both cloud-based (PaaS) and on-premises deployments across multiple version branches. The advisory was revised and published on April 14, 2026.
The vulnerability resides in how FortiSOAR handles responses for Secure Message Exchange and Radius queries when those features are configured. An authenticated attacker can view cleartext passwords in the API responses, potentially gaining access to sensitive credentials used for integrations and authentication. The issue was internally discovered and reported by Kushal Arvind Shah of the Fortinet PSIRT team.
Affected versions include FortiSOAR PaaS 7.6.0 through 7.6.3, 7.5.0 through 7.5.2, and all versions of 7.4 and 7.3. On-premises deployments are similarly impacted: 7.6.0 through 7.6.2, 7.5.0 through 7.5.1, and all versions of 7.4 and 7.3. Fortinet has released fixes for the supported branches, with upgrades to 7.6.4 or above for PaaS 7.6 and on-prem 7.6, and 7.5.3 or above for PaaS 7.5 and on-prem 7.5. Users on versions 7.4 and 7.3 are advised to migrate to a fixed release.
While the CVSS score of 6.2 places this vulnerability in the medium severity range, the exposure of cleartext credentials in API responses is a significant concern for organizations that rely on FortiSOAR to orchestrate security workflows. An attacker with authenticated access could leverage the exposed passwords to pivot to other systems, escalate privileges, or disrupt automated incident response processes.
Fortinet has not reported any active exploitation of this vulnerability in the wild. However, the company encourages all customers to apply the available patches as soon as possible. The advisory notes that the vulnerability was discovered internally, suggesting that no external reports of exploitation have been received.
This disclosure follows a pattern of credential exposure vulnerabilities in enterprise security platforms. Earlier in 2026, Ivanti patched a similar issue in Endpoint Manager (CVE-2026-8109) that could expose stored credentials, and CISA warned of an authentication bypass in ZKTeco CCTV cameras that exposed account credentials. The recurring theme underscores the importance of secure credential handling in API responses, especially in platforms that manage security operations.
Organizations using FortiSOAR should review their deployment versions and apply the appropriate updates or migrations. The full advisory is available on the Fortinet PSIRT page.