PSIRTPath Traversal on File Content Extraction connector
Summary
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSOAR may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions.
| Version | Affected | Solution |
|---|---|---|
| FortiSOAR PaaS 7.6 | 7.6.0 through 7.6.3 | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR PaaS 7.5 | 7.5 all versions | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR PaaS 7.4 | 7.4 all versions | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR PaaS 7.3 | 7.3 all versions | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR on-premise 7.6 | 7.6.0 through 7.6.3 | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR on-premise 7.5 | 7.5 all versions | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR on-premise 7.4 | 7.4 all versions | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
| FortiSOAR on-premise 7.3 | 7.3 all versions | Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above |
Acknowledgement
Internally discovered and reported by Shripal Rawal of Fortinet PSIRT team.Timeline
2026-04-14: Initial publication