Fortinet Discloses Multiple Path Traversal Vulnerabilities in FortiWeb
Fortinet has disclosed multiple relative path traversal vulnerabilities in FortiWeb that could allow a local privileged attacker to execute unauthorized code on the underlying system.
Fortinet disclosed multiple relative path traversal vulnerabilities (CWE-23) in its FortiWeb web application firewall product on April 14, 2026. The flaws, tracked under advisory FG-IR-26-114, carry a CVSSv3 score of 6.2 and affect a wide range of FortiWeb versions. A local privileged attacker can exploit these vulnerabilities via crafted CLI commands to execute unauthorized code on the underlying system.
The vulnerabilities impact FortiWeb versions 8.0.0 through 8.0.2, 7.6.0 through 7.6.6, 7.4.1 through 7.4.12, 7.2.7 through 7.2.12, and 7.0.10 through 7.0.12. Fortinet has released fixes for the affected versions, with upgrades to FortiWeb 8.0.3 or above for version 8.0, and FortiWeb 7.6.7 or above for version 7.6. For older branches (7.4, 7.2, and 7.0), the company advises migrating to a fixed release.
The advisory credits security researchers Sil3N4v and BlueH3lm for reporting the vulnerabilities under responsible disclosure. No CVE IDs were provided in the advisory, which is unusual for a Fortinet PSIRT disclosure. The company did not indicate whether the vulnerabilities have been exploited in the wild.
Path traversal vulnerabilities allow attackers to access files and directories stored outside the intended web root folder. In this case, the flaws are accessible only to local privileged attackers, meaning an attacker would need existing access to the FortiWeb system to exploit them. However, once exploited, the vulnerabilities could enable code execution on the underlying operating system, potentially allowing attackers to pivot to other systems on the network.
FortiWeb is a web application firewall designed to protect web applications from attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 threats. It is widely deployed in enterprise environments to secure public-facing web applications. The product's CLI interface is typically used by administrators for configuration and management tasks.
Organizations running affected versions of FortiWeb should prioritize patching, especially if the management interface is exposed to internal networks where privileged users may have broader access. Fortinet recommends upgrading to the latest available versions as outlined in the advisory. No workarounds or mitigations were provided for versions that cannot be immediately upgraded.
This disclosure follows a pattern of path traversal vulnerabilities in network security appliances, which have become an increasingly common attack vector. While the CVSS score of 6.2 is considered medium severity, the potential for code execution on the underlying system makes these flaws significant, particularly in environments where FortiWeb is deployed as a critical security control.