FortiSOAR Stored Credential Flaw Lets Attackers Recover LDAP Passwords
Fortinet has disclosed a stored password vulnerability in its FortiSOAR security orchestration platform that could allow an authenticated attacker to retrieve clear-text LDAP service account credentials.
Fortinet revealed a security advisory for FortiSOAR, its security orchestration, automation, and response (SOAR) platform, detailing a stored password vulnerability tracked as FG-IR-26-105. The flaw, classified under CWE-257 (Storing Passwords in a Recoverable Format), carries a CVSSv3 score of 4.1 and affects both cloud-based (PaaS) and on-premise deployments across multiple version branches. An authenticated remote attacker can exploit the vulnerability by modifying the LDAP server address in the configuration, which causes the system to display the associated Service account password in clear text.
The issue, which was internally discovered and reported by Shripal Rawal of the Fortinet PSIRT team, impacts FortiSOAR PaaS versions 7.3 through 7.6.4 and on-premise versions in the same range. Specifically, FortiSOAR PaaS and on-premise 7.6.0 through 7.6.4, 7.5.0 through 7.5.2, and all versions of 7.4 and 7.3 are listed as affected. The vulnerability is notable because it targets a core integration component — the LDAP configuration that many large organizations rely on for centralized authentication and user provisioning.
The technical mechanism is straightforward: an attacker who already has authenticated access to the FortiSOAR console can modify the server address field within the LDAP connector settings. The system then inadvertently reflects the stored Service account password in plain text, allowing the attacker to harvest credentials that may have elevated privileges across the broader network. Because the FortiSOAR platform often serves as a central nervous system for security operations, a compromised Service account can lead to lateral movement and deeper compromise of connected systems.
Fortinet has provided fixed software releases for all currently supported branches. Administrators should upgrade FortiSOAR PaaS and on-premise 7.6.x to version 7.6.5 or above, and 7.5.x to version 7.5.3 or above. Customers running versions 7.4 or 7.3, which have reached end-of-life for some components, are advised to migrate to a fixed release as no patches will be issued for those branches. The advisory was revised and published on April 14, 2026, with no indication of active exploitation in the wild at the time of publication.
This disclosure is part of a broader pattern in 2026 of credential storage flaws surfacing in enterprise platforms. Similar issues have been found in Ivanti's Endpoint Manager (CVE-2026-8109) and ZKTeco CCTV cameras (CVE-2026-8598), suggesting that recoverable password storage remains a persistent weakness in security products themselves. The FortiSOAR vulnerability is particularly concerning because it affects a platform designed to coordinate incident response, potentially giving attackers visibility into workflows and integrations that handle sensitive threat intelligence.
Organizations using FortiSOAR should prioritize patching affected systems and review LDAP Service account permissions to limit the blast radius in the event of a compromise. While the CVSS score is moderate, the combination of clear-text credential exposure and the platform's central role in security operations elevates the practical risk. Fortinet's advisory remains the authoritative source for mitigation details.