CVE-2026-21742: Fortinet FortiSOAR Info Disclosure Flaw

CVE-2026-21742 Overview

A cleartext transmission of sensitive information vulnerability has been identified in Fortinet FortiSOAR, affecting both the PaaS and on-premise deployments. This vulnerability allows an authenticated attacker to view cleartext passwords in responses for Secure Message Exchange and Radius queries when these features are configured. The issue stems from improper handling of sensitive credential data in network communications.

Critical Impact
Authenticated attackers can intercept and view cleartext passwords in API responses, potentially leading to credential theft and unauthorized access to integrated systems.

Affected Products

FortiSOAR PaaS 7.6.0 through 7.6.3
FortiSOAR PaaS 7.5.0 through 7.5.2
FortiSOAR PaaS 7.4 all versions
FortiSOAR PaaS 7.3 all versions
FortiSOAR on-premise 7.6.0 through 7.6.2
FortiSOAR on-premise 7.5.0 through 7.5.1
FortiSOAR on-premise 7.4 all versions
FortiSOAR on-premise 7.3 all versions

Discovery Timeline

2026-04-14 - CVE CVE-2026-21742 published to NVD
2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-21742

Vulnerability Analysis

This vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information). FortiSOAR, Fortinet's Security Orchestration, Automation, and Response platform, improperly handles sensitive credential data when processing Secure Message Exchange and Radius authentication queries. When these integrations are configured, the application includes cleartext passwords in API responses that are accessible to authenticated users.

The vulnerability requires the attacker to have valid authentication credentials to the FortiSOAR platform and for either Secure Message Exchange or Radius authentication to be configured. Once these conditions are met, an attacker can observe password data in cleartext within the server's response payloads, bypassing any encryption that should protect credential information.

Root Cause

The root cause lies in improper data handling within the FortiSOAR application's response serialization logic. When the platform generates responses for Secure Message Exchange and Radius query operations, it fails to properly mask or encrypt sensitive credential fields before including them in the response payload. This represents a fundamental failure in secure coding practices where sensitive data should never be transmitted in cleartext, regardless of the authentication state of the requesting user.

Attack Vector

The attack is network-based and requires low complexity to execute. An authenticated attacker with low privileges can exploit this vulnerability through the following method:

Authenticate to the FortiSOAR platform using valid credentials
Initiate or observe Secure Message Exchange or Radius query operations
Capture the API responses containing cleartext password information
Extract sensitive credentials from the response data

The vulnerability requires user interaction (the victim must have configured the affected integrations) but does not require elevated privileges beyond basic authentication. The attack results in high confidentiality impact as sensitive credentials are exposed.

The vulnerability mechanism involves improper response handling where password fields are serialized without proper masking. When FortiSOAR processes queries to Secure Message Exchange or Radius endpoints, the response object includes credential data that should be redacted or encrypted. For technical details, refer to the Fortinet Security Advisory FG-IR-26-106.

Detection Methods for CVE-2026-21742

Indicators of Compromise

Unusual API query patterns targeting Secure Message Exchange or Radius configuration endpoints
Elevated volume of authentication-related API requests from a single user account
Log entries showing repeated access to integration configuration responses
Network traffic analysis revealing password strings in HTTP/HTTPS response payloads

Detection Strategies

Monitor FortiSOAR API access logs for suspicious patterns of requests to Secure Message Exchange and Radius endpoints
Implement network packet inspection to detect cleartext credentials in response traffic
Configure SIEM rules to alert on abnormal access to authentication integration configurations
Deploy user behavior analytics to identify accounts accessing sensitive configuration data outside normal patterns

Monitoring Recommendations

Enable detailed logging for all FortiSOAR API operations, particularly those involving integration configurations
Implement real-time alerting for access to Secure Message Exchange and Radius query endpoints
Monitor for data exfiltration attempts following access to configuration endpoints
Track user session activity for signs of credential harvesting behavior

How to Mitigate CVE-2026-21742

Immediate Actions Required

Apply the latest security patches from Fortinet as soon as they become available
Review and restrict user access to Secure Message Exchange and Radius configuration interfaces
Audit user accounts with access to FortiSOAR to identify potential compromise
Rotate all credentials used in Secure Message Exchange and Radius integrations

Patch Information

Fortinet has released security advisories addressing this vulnerability. Administrators should consult the Fortinet Security Advisory FG-IR-26-106 for detailed patch information and upgrade guidance.

Recommended Upgrade Paths:

FortiSOAR PaaS: Upgrade to version 7.6.4 or later
FortiSOAR on-premise: Upgrade to version 7.6.3 or later

Workarounds

Implement network segmentation to limit access to FortiSOAR management interfaces to trusted administrative networks only
Disable Secure Message Exchange and Radius integrations if not actively required until patches can be applied
Enable additional authentication controls such as multi-factor authentication for FortiSOAR access
Deploy a web application firewall (WAF) to inspect and filter responses containing sensitive credential patterns

bash

# Example: Restrict network access to FortiSOAR management interface
# Add firewall rules to limit access to trusted admin networks
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Verify no cleartext credentials in configuration exports
grep -r "password" /opt/cyops/configs/ | grep -v "password_hash"

CVE-2026-21742 Overview

Critical Impact
Authenticated attackers can intercept and view cleartext passwords in API responses, potentially leading to credential theft and unauthorized access to integrated systems.

Affected Products

FortiSOAR PaaS 7.6.0 through 7.6.3
FortiSOAR PaaS 7.5.0 through 7.5.2
FortiSOAR PaaS 7.4 all versions
FortiSOAR PaaS 7.3 all versions
FortiSOAR on-premise 7.6.0 through 7.6.2
FortiSOAR on-premise 7.5.0 through 7.5.1
FortiSOAR on-premise 7.4 all versions
FortiSOAR on-premise 7.3 all versions

Discovery Timeline

2026-04-14 - CVE CVE-2026-21742 published to NVD
2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-21742

Vulnerability Analysis

Root Cause

Attack Vector

The attack is network-based and requires low complexity to execute. An authenticated attacker with low privileges can exploit this vulnerability through the following method:

Authenticate to the FortiSOAR platform using valid credentials
Initiate or observe Secure Message Exchange or Radius query operations
Capture the API responses containing cleartext password information
Extract sensitive credentials from the response data

Detection Methods for CVE-2026-21742

Indicators of Compromise

Unusual API query patterns targeting Secure Message Exchange or Radius configuration endpoints
Elevated volume of authentication-related API requests from a single user account
Log entries showing repeated access to integration configuration responses
Network traffic analysis revealing password strings in HTTP/HTTPS response payloads

Detection Strategies

Monitor FortiSOAR API access logs for suspicious patterns of requests to Secure Message Exchange and Radius endpoints
Implement network packet inspection to detect cleartext credentials in response traffic
Configure SIEM rules to alert on abnormal access to authentication integration configurations
Deploy user behavior analytics to identify accounts accessing sensitive configuration data outside normal patterns

Monitoring Recommendations

Enable detailed logging for all FortiSOAR API operations, particularly those involving integration configurations
Implement real-time alerting for access to Secure Message Exchange and Radius query endpoints
Monitor for data exfiltration attempts following access to configuration endpoints
Track user session activity for signs of credential harvesting behavior

How to Mitigate CVE-2026-21742

Immediate Actions Required

Apply the latest security patches from Fortinet as soon as they become available
Review and restrict user access to Secure Message Exchange and Radius configuration interfaces
Audit user accounts with access to FortiSOAR to identify potential compromise
Rotate all credentials used in Secure Message Exchange and Radius integrations

Patch Information

Fortinet has released security advisories addressing this vulnerability. Administrators should consult the Fortinet Security Advisory FG-IR-26-106 for detailed patch information and upgrade guidance.

Recommended Upgrade Paths:

FortiSOAR PaaS: Upgrade to version 7.6.4 or later
FortiSOAR on-premise: Upgrade to version 7.6.3 or later

Workarounds

Implement network segmentation to limit access to FortiSOAR management interfaces to trusted administrative networks only
Disable Secure Message Exchange and Radius integrations if not actively required until patches can be applied
Enable additional authentication controls such as multi-factor authentication for FortiSOAR access
Deploy a web application firewall (WAF) to inspect and filter responses containing sensitive credential patterns

bash

# Example: Restrict network access to FortiSOAR management interface
# Add firewall rules to limit access to trusted admin networks
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Verify no cleartext credentials in configuration exports
grep -r "password" /opt/cyops/configs/ | grep -v "password_hash"

CVE-2026-21742: Fortinet FortiSOAR Info Disclosure Flaw

CVE-2026-21742 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-21742

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-21742

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-21742

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-21742: Fortinet FortiSOAR Info Disclosure Flaw

CVE-2026-21742 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-21742

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-21742

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-21742

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform