virus logo PSIRT

Broken access control on API endpoints

Summary

An Improper access control vulnerability [CWE-284] in FortiSOAR may allow Information disclosure to an authenticated attacker via crafted requests

Version Affected Solution
FortiSOAR PaaS 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above
FortiSOAR PaaS 7.5 7.5.0 through 7.5.1 Upgrade to 7.5.2 or above
FortiSOAR PaaS 7.4 7.4 all versions Migrate to a fixed release
FortiSOAR PaaS 7.3 7.3 all versions Migrate to a fixed release
FortiSOAR on-premise 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above
FortiSOAR on-premise 7.5 7.5.0 through 7.5.1 Upgrade to 7.5.2 or above
FortiSOAR on-premise 7.4 7.4 all versions Migrate to a fixed release
FortiSOAR on-premise 7.3 7.3 all versions Migrate to a fixed release
FortiSOAR on-premise 7.2 Not affected Not Applicable

Acknowledgement

Internally discovered and reported by Shripal Rawal of Fortinet PSIRT team.

Timeline

2025-12-09: Initial publication
IR Number FG-IR-25-601
Published Date Dec 9, 2025
Component OTHERS
Severity Medium
CVSSv3 Score 6.2
Impact Information disclosure
CVE ID
Download

CVRF

CSAF