Fortinet Patches Two Critical FortiSandbox Vulnerabilities with CVSS 9.1 Scores
Fortinet has disclosed two critical vulnerabilities in its FortiSandbox platform, both rated 9.1 on the CVSSv3 scale, which could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication. The flaws, published on April 14, 2026, pose significant risks to enterprises relying on FortiSandbox for threat detection.
The first vulnerability, CVE-2026-39808, is an OS command injection flaw in the FortiSandbox API component. It enables attackers to execute unauthorized commands via specially crafted HTTP requests, potentially compromising the sandboxing environment. Affecting FortiSandbox 4.4.0 through 4.4.8, the issue was responsibly disclosed by Samuel de Lucas Maroto of KPMG Spain. Fortinet recommends upgrading to version 4.4.9 or later.
The second flaw, CVE-2026-39813, is an authentication bypass via path traversal in the FortiSandbox JRPC API. Exploitable through malicious HTTP requests, it allows privilege escalation without prior authentication. Discovered internally by Fortinet’s Loic Pantano, it impacts FortiSandbox 5.0.0 through 5.0.5 and FortiSandbox 4.4.0 through 4.4.8. Patches are available in versions 5.0.6 and 4.4.9.
No active exploitation has been observed, but the unauthenticated attack vectors and high severity scores make these vulnerabilities a priority for remediation. Organizations are advised to apply updates and restrict API access to trusted networks as a temporary mitigation.
Source: https://cybersecuritynews.com/fortisandbox-vulnerability-command-execution/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1776183827",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprises relying on '
'FortiSandbox for threat '
'detection',
'industry': 'Cybersecurity',
'name': 'Fortinet',
'type': 'Company'}],
'attack_vector': 'Remote',
'customer_advisories': 'Organizations are advised to apply updates and '
'restrict API access to trusted networks.',
'date_publicly_disclosed': '2026-04-14',
'description': 'Fortinet has disclosed two critical vulnerabilities in its '
'FortiSandbox platform, both rated 9.1 on the CVSSv3 scale, '
'which could allow unauthenticated remote attackers to execute '
'arbitrary commands and bypass authentication. The flaws pose '
'significant risks to enterprises relying on FortiSandbox for '
'threat detection.',
'impact': {'operational_impact': 'Potential compromise of sandboxing '
'environment and privilege escalation',
'systems_affected': 'FortiSandbox platform'},
'investigation_status': 'Vulnerabilities disclosed; no active exploitation '
'observed',
'post_incident_analysis': {'corrective_actions': ['Upgrade to patched '
'versions',
'Restrict API access to '
'trusted networks'],
'root_causes': ['OS command injection flaw in '
'FortiSandbox API',
'Authentication bypass via path '
'traversal in JRPC API']},
'recommendations': 'Apply patches immediately and restrict API access to '
'trusted networks as a temporary mitigation.',
'references': [{'source': 'Fortinet Security Advisory'}],
'response': {'containment_measures': 'Apply updates to versions 4.4.9, 5.0.6, '
'or later; restrict API access to '
'trusted networks',
'remediation_measures': 'Upgrade to patched versions (4.4.9 or '
'5.0.6)'},
'title': 'Fortinet Patches Two Critical FortiSandbox Vulnerabilities with '
'CVSS 9.1 Scores',
'type': ['OS command injection', 'Authentication bypass'],
'vulnerability_exploited': ['CVE-2026-39808', 'CVE-2026-39813']}