Critical FortiSandbox Flaws Allow Unauthorized Command Execution

Fortinet has disclosed two critical security vulnerabilities impacting its FortiSandbox platform. Both flaws carry a significant CVSSv3 score of 9.1.

The flaws, published on April 14, 2026, could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication entirely, posing a serious risk to enterprise environments relying on FortiSandbox for advanced threat detection.

OS Command Injection Flaw (CVE-2026-39808)

The first vulnerability, tracked as CVE-2026-39808, is an Improper Neutralization of Special Elements used in an OS Command, classified under CWE-78.

The flaw resides in the FortiSandbox API component and enables an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted HTTP requests.

With no authentication required and a network-based attack vector, this vulnerability represents a low-complexity, high-impact threat. Successful exploitation could result in full compromise of the sandboxing environment, undermining the very system designed to analyze and contain malicious files.

Affected versions and remediation:

• FortiSandbox 4.4 (versions 4.4.0 through 4.4.8) — upgrade to 4.4.9 or above
• FortiSandbox 5.0 — not affected
• FortiSandbox PaaS 5.0 — not impacted; no action required

The vulnerability was responsibly disclosed by Samuel de Lucas Maroto from KPMG Spain, and Fortinet has acknowledged the researcher’s contribution.

Authentication Bypass via Path Traversal (CVE-2026-39813)

The second critical vulnerability, CVE-2026-39813, is a Path Traversal flaw classified under CWE-24, affecting the FortiSandbox JRPC API.

An unauthenticated attacker can exploit this weakness using specially crafted HTTP requests to bypass authentication controls, with the primary impact being escalation of privilege.

Like the first flaw, this vulnerability also carries a CVSSv3 score of 9.1 and requires no user interaction or prior authentication, making it equally dangerous in exposed deployments. This vulnerability was internally discovered and reported by Loic Pantano of Fortinet PSIRT.

Affected versions and remediation:

• FortiSandbox 5.0 (versions 5.0.0 through 5.0.5) — upgrade to 5.0.6 or above
• FortiSandbox 4.4 (versions 4.4.0 through 4.4.8) — upgrade to 4.4.9 or above
• FortiSandbox 5.2 and 4.2 — not affected

Neither vulnerability has been observed as exploited in the wild as of publication, but given their critical severity scores and unauthenticated attack vectors, organizations should treat these disclosures as high-priority.

Security teams are urged to apply the recommended patches immediately, audit FortiSandbox deployments for exposure, and restrict API access to trusted networks as a temporary mitigation while updates are being rolled out.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.