Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionNVD
A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured
AnalysisAI
Fortinet FortiSOAR (both PaaS and on-premise versions 7.3-7.6.x) transmits sensitive authentication credentials in cleartext in API responses for Secure Message Exchange and RADIUS configurations, allowing authenticated attackers with network access to intercept and view passwords. The vulnerability requires user interaction (UI:R) and prior authentication (PR:L), affecting confidentiality of stored credentials in these integrations with a CVSS score of 5.7.
Technical ContextAI
FortiSOAR is a Security Orchestration, Automation and Response (SOAR) platform used to integrate and orchestrate security tools. The vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information), a failure to encrypt sensitive data in transit. Specifically, when FortiSOAR retrieves or displays configuration data for Secure Message Exchange connectors or RADIUS authentication sources, the system includes plaintext passwords in HTTP/HTTPS responses. This affects both the cloud-hosted PaaS variant (cpe:2.3:a:fortinet:fortisoar_paas:*:*:*:*:*:*:*:*) and on-premise deployments (cpe:2.3:a:fortinet:fortisoar_on-premise:*:*:*:*:*:*:*:*). An attacker positioned to intercept network traffic between the authenticated user's browser/client and the FortiSOAR server could capture these credentials, or a malicious authenticated user could directly extract them from API responses.
RemediationAI
Fortinet has released patched versions; organizations should upgrade to FortiSOAR on-premise 7.5.2 or later (for the 7.5.x branch), 7.6.3 or later (for the 7.6.x branch), or 7.7.0+ (if available), and FortiSOAR PaaS to version 7.6.3 or later or 7.5.2 or later depending on branch. For users unable to patch immediately, apply network segmentation to restrict access to FortiSOAR API endpoints and limit who can authenticate to the platform, reducing the attack surface. Audit existing Secure Message Exchange and RADIUS configurations to identify any credentials that may have been exposed, and rotate those credentials post-patch. Refer to Fortinet advisory FG-IR-26-106 at https://fortiguard.fortinet.com/psirt/FG-IR-26-106 for official patch availability and timelines.
More in Fortisoar Paas
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22315
GHSA-9qp2-w8w6-fgc3