Critical FortiSandbox Flaws Let Attackers Execute Commands
Key Takeaways Fortinet has revealed two critical vulnerabilities in its FortiSandbox platform, both scoring 9.1 on the CVSSv3 scale. These flaws, disclosed on April 14, 2026, could allow...
Key Takeaways
- Fortinet has revealed two critical vulnerabilities in its FortiSandbox platform, both scoring 9.1 on the CVSSv3 scale.
- These flaws, disclosed on April 14, 2026, could allow unauthenticated attackers to execute arbitrary commands and bypass authentication.
- Multiple versions of FortiSandbox are affected, including 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5.
- Patches are available, and immediate upgrades to FortiSandbox 4.4.9+ or 5.0.6+ are strongly recommended.
Critical FortiSandbox Flaws Open Door to Remote Command Execution and Authentication Bypass
Fortinet has issued a high-priority alert regarding two severe security vulnerabilities within its FortiSandbox product line. Both issues have received a CVSSv3 score of 9.1, indicating critical severity. These flaws, publicly disclosed on April 14, 2026, pose a substantial risk to enterprise security, potentially allowing unauthenticated remote attackers to execute arbitrary commands and completely circumvent authentication mechanisms on affected systems.
Table Of Content
- Key Takeaways
- Critical FortiSandbox Flaws Open Door to Remote Command Execution and Authentication Bypass
- OS Command Injection Flaw (CVE-2026-39808)
- Affected Versions and Remediation for CVE-2026-39808
- Authentication Bypass via Path Traversal (CVE-2026-39813)
- Affected Versions and Remediation for CVE-2026-39813
- What You Should Do
OS Command Injection Flaw (CVE-2026-39808)
The first vulnerability, identified as CVE-2026-39808, is an improper neutralization of special elements used in an OS command, categorized under CWE-78. This flaw resides within the FortiSandbox API component.
Exploitation is possible by an unauthenticated attacker sending specially crafted HTTP requests. This allows for unauthorized code or command execution. The attack vector is network-based, requires no authentication, and has low complexity, making it a high-impact threat. A successful exploit could lead to a complete compromise of the sandbox environment, directly undermining its intended function of threat analysis and containment.
Affected Versions and Remediation for CVE-2026-39808:
- FortiSandbox versions 4.4.0 through 4.4.8 are vulnerable; users must upgrade to 4.4.9 or a later version.
- FortiSandbox 5.0 is not affected.
- FortiSandbox PaaS 5.0 is not impacted and requires no action.
This vulnerability was responsibly reported by Samuel de Lucas Maroto from KPMG Spain, and Fortinet has acknowledged his contribution.
Authentication Bypass via Path Traversal (CVE-2026-39813)
The second critical vulnerability, CVE-2026-39813, is a path traversal flaw (CWE-24) affecting the FortiSandbox JRPC API. This weakness allows an unauthenticated attacker to bypass authentication controls through specially crafted HTTP requests, primarily leading to privilege escalation.
Like the first vulnerability, CVE-2026-39813 also carries a CVSSv3 score of 9.1. It requires no user interaction or prior authentication, making it equally dangerous in any exposed deployment. This vulnerability was discovered and reported internally by Loic Pantano of Fortinet PSIRT.
Affected Versions and Remediation for CVE-2026-39813:
- FortiSandbox versions 5.0.0 through 5.0.5 are vulnerable; an upgrade to 5.0.6 or a later version is required.
- FortiSandbox versions 4.4.0 through 4.4.8 are also vulnerable; users must upgrade to 4.4.9 or a later version.
- FortiSandbox 5.2 and 4.2 are not affected.
As of this publication, there is no evidence that either vulnerability has been exploited in the wild. However, given their critical severity and unauthenticated attack vectors, organizations should treat these disclosures with the highest priority.
What You Should Do
- Immediately apply the recommended patches by upgrading FortiSandbox to version 4.4.9 (for 4.4.x branches) or 5.0.6 (for 5.0.x branches) or later.
- Audit all FortiSandbox deployments to confirm their exposure status.
- As a temporary mitigation while patches are being deployed, restrict API access to FortiSandbox to only trusted networks and hosts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.