Fortinet Discloses SSRF Vulnerability in FortiSOAR Allowing Local Port Probing
Fortinet has disclosed a server-side request forgery vulnerability in FortiSOAR that could allow authenticated attackers to probe local ports and discover services running on the host.
Fortinet has disclosed a server-side request forgery (SSRF) vulnerability in its FortiSOAR security orchestration, automation, and response platform, tracked as FG-IR-26-103. The flaw, classified under CWE-918, carries a CVSSv3 score of 4.1 and affects both the PaaS and on-premise versions of the product. An authenticated attacker can exploit this vulnerability by sending crafted requests to probe local ports and discover services running on the host, potentially gathering intelligence for further attacks.
The vulnerability impacts a wide range of FortiSOAR versions. For the PaaS offering, versions 7.6.0 through 7.6.4 are affected, with fixes available in 7.6.3 or 7.6.5. Versions 7.5.0 through 7.5.2 require an upgrade to 7.5.3 or above, while versions 7.4 and 7.3 are end-of-life and require migration to a supported release. The on-premise versions follow the same patching guidance, with 7.6.4 needing an upgrade to 7.6.5, and 7.6.0 through 7.6.2 requiring 7.6.3 or 7.6.5. Older on-premise versions 7.5, 7.4, and 7.3 must be upgraded or migrated accordingly.
The SSRF vulnerability allows an attacker with valid credentials to make the FortiSOAR server send requests to internal resources, effectively enabling them to map the internal network and identify running services. While the CVSS score is relatively low due to the requirement for authentication, the potential for information gathering could aid in chaining this flaw with other vulnerabilities to achieve more severe impacts. Fortinet credited Shripal Rawal of the Fortinet PSIRT team for internally discovering and reporting the issue.
Fortinet has released security updates to address the vulnerability, and users are strongly advised to upgrade their FortiSOAR instances to the latest fixed versions as outlined in the advisory. For those running end-of-life versions 7.4 and 7.3, migration to a supported release is the only solution, as no patches will be provided for these older branches. The advisory was initially published on April 14, 2026, and no revisions have been made since.
This disclosure comes amid a broader trend of SSRF vulnerabilities being discovered in enterprise software, often used by attackers to bypass network segmentation and access internal systems. While the FortiSOAR flaw requires authentication, it underscores the importance of securing orchestration platforms that often have elevated access to other systems. Organizations using FortiSOAR should prioritize patching to prevent potential reconnaissance activities that could precede more damaging attacks.