PSIRTSQL injection in jsonrpc api
Summary
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiAnalyzer and FortiAnalyzer-BigData API may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.
| Version | Affected | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiAnalyzer 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiAnalyzer 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiAnalyzer-BigData 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiAnalyzer-BigData 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 6.2 | 6.2 all versions | Migrate to a fixed release |
The vulnerability exists only when the JSON API is enabled (Disabled by default)
If enabled on a profile, it can be disabled it via the following configuration:
config system admin profile
edit <profile name>
set rpc-permit none
end
Acknowledgement
Discovered by Loic Pantano of Fortinet PSIRTTimeline
2026-03-10: Initial publication