PSIRT Cleartext Credentials in response for API endpoints Summary A Cleartext Transmission of Sensitive Information vulnerability [CWE-319] in FortiSOAR may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured Version Affected Solution FortiSOAR PaaS 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiSOAR PaaS 7.5 7.5.0 through 7.5.2 Upgrade to 7.5.3 or above FortiSOAR PaaS 7.4 7.4 all versions Migrate to a fixed release FortiSOAR PaaS 7.3 7.3 all versions Migrate to a fixed release FortiSOAR on-premise 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.4 or above FortiSOAR on-premise 7.5 7.5.0 through 7.5.1 Upgrade to 7.5.3 or above FortiSOAR on-premise 7.4 7.4 all versions Migrate to a fixed release FortiSOAR on-premise 7.3 7.3 all versions Migrate to a fixed release Acknowledgement Internally discovered and reported by Kushal Arvind Shah of Fortinet PSIRT team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-106 Published Date Apr 14, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.2 Impact Information disclosure CVE ID CVE-2026-21742 CVE-2026-22155 Download CVRF CSAF