PSIRTSSRF via Report template and scheduling
Summary
A Server-Side request forgery (SSRF) vulnerability [CWE-918] in FortiSOAR may allow an authenticated attacker to discover services running on local ports via crafted requests.
| Version | Affected | Solution |
|---|---|---|
| FortiSOAR PaaS 7.6 | 7.6.4 | Upgrade to 7.6.5 or above |
| FortiSOAR PaaS 7.6 | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or 7.6.5 |
| FortiSOAR PaaS 7.5 | 7.5.0 through 7.5.2 | Upgrade to 7.5.3 or above |
| FortiSOAR PaaS 7.4 | 7.4 all versions | Migrate to a fixed release |
| FortiSOAR PaaS 7.3 | 7.3 all versions | Migrate to a fixed release |
| FortiSOAR on-premise 7.6 | 7.6.4 | Upgrade to 7.6.5 or above |
| FortiSOAR on-premise 7.6 | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or 7.6.5 |
| FortiSOAR on-premise 7.5 | 7.5.0 through 7.5.2 | Upgrade to 7.5.3 or above |
| FortiSOAR on-premise 7.4 | 7.4 all versions | Migrate to a fixed release |
| FortiSOAR on-premise 7.3 | 7.3 all versions | Migrate to a fixed release |
Acknowledgement
Internally discovered and reported by Shripal Rawal of Fortinet PSIRT team.Timeline
2026-04-14: Initial publication