CVE-2026-22155 Overview
A cleartext transmission of sensitive information vulnerability (CWE-319) has been identified in Fortinet FortiSOAR, affecting both PaaS and on-premise deployments. This vulnerability enables attackers to intercept sensitive information transmitted over the network due to improper encryption implementation, potentially exposing confidential data to unauthorized parties.
Critical Impact
Attackers with network access can intercept sensitive information transmitted in cleartext, leading to potential data exposure and confidentiality breaches in security orchestration environments.
Affected Products
- FortiSOAR PaaS 7.6.0 through 7.6.3
- FortiSOAR PaaS 7.5.0 through 7.5.2
- FortiSOAR PaaS 7.4 all versions
- FortiSOAR PaaS 7.3 all versions
- FortiSOAR on-premise 7.6.0 through 7.6.2
- FortiSOAR on-premise 7.5.0 through 7.5.1
- FortiSOAR on-premise 7.4 all versions
- FortiSOAR on-premise 7.3 all versions
Discovery Timeline
- 2026-04-14 - CVE-2026-22155 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-22155
Vulnerability Analysis
This vulnerability falls under CWE-319 (Cleartext Transmission of Sensitive Information), a class of weakness where applications transmit sensitive data without proper encryption. In the context of FortiSOAR, a Security Orchestration, Automation, and Response (SOAR) platform, this flaw is particularly concerning as the platform handles security-sensitive data including incident details, threat intelligence, and potentially credentials for integrated security tools.
The vulnerability allows attackers positioned on the network path between FortiSOAR components or between FortiSOAR and its clients to capture sensitive information. Given that FortiSOAR is designed to centralize security operations, the exposed data could include security incident details, playbook configurations, API credentials, and integration tokens for connected security infrastructure.
Root Cause
The root cause of this vulnerability is the improper implementation of transport layer security for certain communication channels within FortiSOAR. Sensitive information that should be encrypted during transmission is instead sent in cleartext, making it susceptible to network-based interception attacks. This may involve HTTP connections being used instead of HTTPS, or specific API endpoints or internal communications lacking proper TLS encryption.
Attack Vector
The attack vector for CVE-2026-22155 is network-based, requiring the attacker to have the ability to intercept network traffic between FortiSOAR components or between FortiSOAR and its users. This could be achieved through:
Man-in-the-Middle (MITM) positioning - An attacker on the same network segment or with control over network infrastructure can passively capture cleartext transmissions.
Network sniffing - Using packet capture tools on shared network segments to intercept unencrypted communications.
Compromised network devices - Routers, switches, or proxies under attacker control can log or redirect cleartext traffic.
The attacker requires low privileges (network access) but no user interaction is needed, making this vulnerability exploitable in automated attack scenarios. The impact is primarily on confidentiality, with high potential for sensitive data exposure.
Detection Methods for CVE-2026-22155
Indicators of Compromise
- Unusual network traffic patterns involving FortiSOAR on non-encrypted ports (e.g., HTTP on port 80 instead of HTTPS on port 443)
- Network monitoring alerts for unencrypted sensitive data transmission
- Evidence of packet capture tools or MITM infrastructure on internal networks
- Anomalous access to FortiSOAR from unexpected network locations following potential credential exposure
Detection Strategies
- Deploy network traffic analysis tools to identify cleartext transmissions containing sensitive security data
- Implement SSL/TLS inspection at network boundaries to verify encryption is properly enforced
- Configure IDS/IPS rules to alert on unencrypted traffic patterns to and from FortiSOAR infrastructure
- Review FortiSOAR access logs for suspicious activity that could indicate compromised credentials
Monitoring Recommendations
- Enable comprehensive logging for all FortiSOAR network communications and API access
- Monitor for new or unauthorized network capture tools deployed within the environment
- Implement network segmentation monitoring to detect unauthorized traffic interception attempts
- Configure alerts for any HTTP (non-TLS) connections to FortiSOAR services
How to Mitigate CVE-2026-22155
Immediate Actions Required
- Review the FortiGuard Security Advisory for detailed remediation guidance
- Upgrade FortiSOAR PaaS deployments to version 7.6.4 or later (or latest patched version as specified in advisory)
- Upgrade FortiSOAR on-premise deployments to version 7.6.3 or later (or latest patched version as specified in advisory)
- Implement network segmentation to isolate FortiSOAR infrastructure and limit exposure
- Audit and rotate any credentials that may have been transmitted over affected versions
Patch Information
Fortinet has released security updates to address this vulnerability. Administrators should consult the official FortiGuard Security Advisory FG-IR-26-106 for specific version information and download links for patched releases. It is critical to update both PaaS and on-premise deployments to the latest available versions.
Workarounds
- Enforce TLS encryption at the network level using reverse proxies or load balancers in front of FortiSOAR
- Implement network segmentation to restrict access to FortiSOAR infrastructure to trusted networks only
- Deploy VPN or encrypted tunnels for all administrative access to FortiSOAR
- Monitor network traffic for any cleartext transmissions and block unencrypted access to FortiSOAR services at the firewall level
# Example: Configure firewall to block unencrypted HTTP access to FortiSOAR
# Adjust ports and IP addresses according to your environment
# Block HTTP (port 80) access to FortiSOAR server
iptables -A INPUT -p tcp --dport 80 -d <fortisoar-ip> -j DROP
# Ensure HTTPS (port 443) is permitted
iptables -A INPUT -p tcp --dport 443 -d <fortisoar-ip> -j ACCEPT
# Log any attempted HTTP connections for monitoring
iptables -A INPUT -p tcp --dport 80 -d <fortisoar-ip> -j LOG --log-prefix "FortiSOAR-HTTP-Block: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
