PSIRT Advisories

FortiSOAR - Improper access control on gateway API


An improper access control vulnerability [CWE-284] in FortiSOAR may allow an unauthenticated attacker to access gateway API data via crafted HTTP GET requests.

Affected Products

FortiSOAR versions 7.0.2 and below, 
FortiSOAR versions 6.4.4 and below,
FortiSOAR versions 6.0.0,
FortiSOAR versions 5.x.x


Please upgrade to FortiSOAR version 7.2.0 or above.


Install a security patch to fix this vulnerability on FortiSOAR affected versions as follows:
SSH to your FortiSOAR VM and log in as a root user.
Download the security patch file from the repository server using the following command:
wget /> Update the permissions of the file and run the following commands to apply the patch:
sudo chmod 755 nginx-security-patch
sudo ./nginx-security-patch


Internally discovered and reported by the FortiSOAR development team.