On April 14, 2026, Fortinet announced the discovery of two serious security vulnerabilities affecting the FortiSandbox platform. Both vulnerabilities receive a CVSSv3 score of 9,1, indicating their critical severity.
These flaws could allow unauthorized remote attackers to execute arbitrary commands and bypass authentication mechanisms, putting enterprise infrastructures that use the FortiSandbox platform for advanced threat detection and analysis at serious risk.
Operating System Command Injection Flaw (CVE-2026-39808)
The first vulnerability, CVE-2026-39808, concerns an improper neutralization of special characters in the operating system command, categorized as CWE-78. This means that the platform's security can be bypassed through specially crafted HTTP requests by unauthorized users.
The flaw is located in the FortiSandbox API, allowing attackers to execute unauthorized code. Since no authentication is required and the attack vector is purely network-based, this makes this vulnerability dangerous and easily exploitable.
Affected versions and Recommendations:
- FortiSandbox 4.4 (versions 4.4.0 to 4.4.8) — upgrade to 4.4.9 or later
- FortiSandbox 5.0 — not affected
- FortiSandbox PaaS 5.0 — not affected, none energy not required
The vulnerability was identified by Samuel de Lucas Maroto from KPMG Spain, with Fortinet acknowledging the researcher's contribution.
Identity Verification Bypass via Path Traversal (CVE-2026-39813)
The second vulnerability, CVE-2026-39813, is the result of a path traversal error, categorized as CWE-24. This vulnerability affects the FortiSandbox JRPC API and allows unauthenticated attackers to bypass authentication processes via specially crafted HTTP requests.
Exploitation of this vulnerability could have serious consequences, including privilege escalation. With a CVSSv3 score of 9,1, it is equivalent to the first vulnerability in terms of risk and requires no user interaction.
Affected versions and Recommendations:
- FortiSandbox 5.0 (versions 5.0.0 to 5.0.5) — upgrade to 5.0.6 or later
- FortiSandbox 4.4 (versions 4.4.0 to 4.4.8) — upgrade to 4.4.9 or later
- FortiSandbox 5.2 and 4.2 — not affected
This vulnerability has also not been observed to be actively exploited in the wild, however organizations are urged to adopt the recommended patches immediately. Security teams should review their FortiSandbox deployments for potential exposures and restrict API access to trusted networks until the updates are released.
For more information about cyber security, you can visit CISA.
