PSIRT Path Traversal on File Content Extraction connector Summary An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSOAR may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions. Version Affected Solution FortiSOAR PaaS 7.6 7.6.0 through 7.6.3 Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR PaaS 7.5 7.5 all versions Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR PaaS 7.4 7.4 all versions Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR PaaS 7.3 7.3 all versions Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR on-premise 7.6 7.6.0 through 7.6.3 Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR on-premise 7.5 7.5 all versions Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR on-premise 7.4 7.4 all versions Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above FortiSOAR on-premise 7.3 7.3 all versions Upgrade to FortiSOAR File Content Extraction Connector Version 1.3.1 or above Acknowledgement Internally discovered and reported by Shripal Rawal of Fortinet PSIRT team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-116 Published Date Apr 14, 2026 Component OTHERS Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.2 Impact Information disclosure CVE ID CVE-2026-22573 Download CVRF CSAF