Fortinet Discloses Path Traversal Vulnerability in FortiSOAR File Content Extraction Connector

Fortinet has disclosed a path traversal vulnerability (FG-IR-26-116) in the File Content Extraction connector of its FortiSOAR security orchestration, automation, and response (SOAR) platform. The flaw, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), could allow an authenticated remote attacker to traverse directories and potentially access files outside the intended scope. The vulnerability carries a CVSSv3 base score of 6.2, indicating a medium severity risk.

The vulnerability affects both FortiSOAR PaaS and on-premise deployments across versions 7.3 through 7.6. Specifically, FortiSOAR PaaS 7.6.0 through 7.6.3 and all versions of 7.5, 7.4, and 7.3 are impacted, along with the corresponding on-premise releases. The issue resides in the File Content Extraction actions, which fail to properly restrict pathnames, enabling directory traversal attacks.

Fortinet has released a fix in the form of FortiSOAR File Content Extraction Connector Version 1.3.1 or above. Users are strongly advised to upgrade to this version to mitigate the risk. The advisory was published on April 14, 2026, and the vulnerability was internally discovered and reported by Shripal Rawal of the Fortinet PSIRT team.

While the vulnerability requires authentication, its exploitation could allow attackers to read arbitrary files on the affected system, potentially exposing sensitive configuration data, credentials, or other critical information. Given FortiSOAR's role in centralizing security operations, a compromise could have cascading effects on an organization's security posture.

This disclosure follows a pattern of path traversal vulnerabilities in enterprise software, which remain a common attack vector. Fortinet's advisory provides a clear upgrade path, and no active exploitation has been reported at this time. Organizations using FortiSOAR should prioritize patching to prevent potential breaches.