CVE-2026-22573 Overview
A path traversal vulnerability (CWE-22) has been identified in Fortinet FortiSOAR, affecting both PaaS and on-premise deployments. This improper limitation of a pathname to a restricted directory allows an authenticated remote attacker to perform path traversal attacks via File Content Extraction actions, potentially exposing sensitive files outside of intended directories.
Critical Impact
Authenticated attackers can leverage this vulnerability to read arbitrary files on the system through path traversal, potentially accessing sensitive configuration files, credentials, or other confidential data stored on FortiSOAR servers.
Affected Products
- FortiSOAR PaaS versions 7.6.0 through 7.6.3
- FortiSOAR PaaS versions 7.5.x (all versions)
- FortiSOAR PaaS versions 7.4.x (all versions)
- FortiSOAR PaaS versions 7.3.x (all versions)
- FortiSOAR on-premise versions 7.6.0 through 7.6.3
- FortiSOAR on-premise versions 7.5.x (all versions)
- FortiSOAR on-premise versions 7.4.x (all versions)
- FortiSOAR on-premise versions 7.3.x (all versions)
Discovery Timeline
- 2026-04-14 - CVE-2026-22573 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-22573
Vulnerability Analysis
This vulnerability resides in the File Content Extraction functionality within FortiSOAR. The affected component fails to properly validate and sanitize user-supplied file paths, allowing authenticated users to traverse outside the intended directory structure. By manipulating file path parameters with sequences such as ../, an attacker can access files located in parent directories or arbitrary locations on the filesystem.
The vulnerability specifically impacts the File Content Extraction actions feature, which is designed to extract and process file contents as part of FortiSOAR's security orchestration, automation, and response (SOAR) workflows. When this feature processes a maliciously crafted path, it follows the traversal sequences and reads files from unintended locations.
Since the attack requires authentication, the immediate attack surface is limited to users with valid credentials to the FortiSOAR platform. However, in a compromised credential scenario or from an insider threat perspective, this vulnerability presents a significant risk for data exfiltration.
Root Cause
The root cause is improper input validation in the File Content Extraction action handlers. The application fails to adequately sanitize path components before resolving file locations, allowing relative path traversal sequences (such as ../) to escape the intended directory boundary. This is a classic CWE-22 vulnerability where path canonicalization or proper input filtering is missing from the file access logic.
Attack Vector
The attack is network-accessible and requires low privileges (authenticated user access) with no user interaction needed. An authenticated attacker can craft malicious requests to the File Content Extraction functionality, injecting path traversal sequences into file path parameters. The vulnerable endpoint processes these paths without proper validation, resolving them to locations outside the intended directory scope.
The attacker can exploit this by:
- Authenticating to the FortiSOAR platform with valid credentials
- Initiating a File Content Extraction action
- Manipulating the file path parameter to include traversal sequences (e.g., ../../etc/passwd)
- Receiving the contents of arbitrary files accessible to the FortiSOAR service account
The vulnerability enables high confidentiality impact, as attackers can potentially read sensitive system files, application configurations, database credentials, API keys, and other confidential data stored on the server.
Detection Methods for CVE-2026-22573
Indicators of Compromise
- Log entries showing File Content Extraction actions with path traversal patterns such as ../, ..\\, or encoded variants
- Access attempts to sensitive system files like /etc/passwd, /etc/shadow, or application configuration files through FortiSOAR
- Unusual file access patterns from the FortiSOAR service account or associated processes
- Audit logs indicating extraction of files outside normal operational directories
Detection Strategies
- Implement log monitoring rules to detect path traversal patterns (../, %2e%2e%2f, ..%c0%af) in File Content Extraction action parameters
- Configure SIEM alerts for FortiSOAR file access events targeting sensitive system directories or files
- Deploy web application firewall (WAF) rules to block requests containing directory traversal sequences
- Enable detailed audit logging for all File Content Extraction operations and review for anomalous access patterns
Monitoring Recommendations
- Monitor FortiSOAR application logs for error messages indicating failed file access attempts to system directories
- Track all file operations performed by the FortiSOAR service account for access to files outside application directories
- Implement file integrity monitoring (FIM) on sensitive system files to detect unauthorized read access
- Review authentication logs for unusual login patterns that may precede exploitation attempts
How to Mitigate CVE-2026-22573
Immediate Actions Required
- Review the Fortinet Security Advisory FG-IR-26-116 for vendor-specific guidance and available patches
- Audit user accounts with access to FortiSOAR and revoke unnecessary privileges
- Implement additional access controls to restrict who can execute File Content Extraction actions
- Enable enhanced logging for all file operations within FortiSOAR pending patch deployment
- Consider network segmentation to limit the impact of potential data exfiltration
Patch Information
Fortinet has released a security advisory addressing this vulnerability. Organizations should consult the Fortinet Security Advisory FG-IR-26-116 for detailed patching instructions and updated software versions. Apply the latest security patches for FortiSOAR as soon as they become available from Fortinet.
Workarounds
- Restrict access to the File Content Extraction functionality to only trusted and essential users
- Implement network-level access controls to limit which systems can reach the FortiSOAR management interface
- Deploy web application firewall rules to filter and block requests containing path traversal patterns
- Consider disabling the File Content Extraction feature temporarily if it is not critical to operations
- Implement strict role-based access controls within FortiSOAR to minimize the number of users who can execute potentially vulnerable actions
# Example: Web application firewall rule to block path traversal patterns
# Add to your WAF configuration to help mitigate exploitation attempts
# Block requests containing common path traversal sequences
# Note: This is a temporary mitigation - apply vendor patches when available
# Example ModSecurity rule (adjust for your WAF solution)
SecRule REQUEST_URI|ARGS "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|\.%2e/|%2e\./)" \
"id:1001,phase:2,deny,status:403,log,msg:'Path Traversal Attempt Blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
