Fortinet Discloses LDAP Credential Exposure in FortiSandbox GUI
Fortinet disclosed a vulnerability in FortiSandbox and FortiSandbox PaaS that allows authenticated administrators to read LDAP server credentials via client-side inspection.
Fortinet has disclosed a vulnerability in the web GUI of FortiSandbox and FortiSandbox PaaS that could allow an authenticated administrator to read LDAP server credentials through client-side inspection. The issue, tracked as FG-IR-26-113, is classified under CWE-522 (Insufficiently Protected Credentials) and carries a CVSSv3 score of 2.5, indicating low severity.
The vulnerability affects FortiSandbox versions 5.0.0 through 5.0.5 and FortiSandbox PaaS versions 5.0.1 through 5.0.5. Fortinet has released FortiSandbox 5.0.6 to address the flaw, while users of FortiSandbox 4.4 (all versions) are advised to migrate to a fixed release. The advisory was initially published on April 14, 2026.
According to the advisory, an authenticated administrator with access to the LDAP configuration page could inspect the page source or client-side code to retrieve the LDAP server credentials in plaintext. This is due to insufficient protection of credentials in the web interface, which exposes them to anyone with administrative privileges and browser inspection tools.
Fortinet credited Juampa Rodriguez from Red Electrica for reporting the vulnerability under responsible disclosure. The company did not mention any evidence of active exploitation in the wild, and the low CVSS score suggests limited impact, as the attacker must already have administrative access.
This disclosure is part of a series of Fortinet advisories released in April 2026, including patches for critical RCE flaws in FortiAuthenticator and FortiSandbox, as well as high-severity command injection and argument injection vulnerabilities in FortiAP and FortiDeceptor. Organizations using FortiSandbox should prioritize upgrading to the latest version to mitigate credential exposure risks.