Security Intelligence
Loading table of contents...
At a glance: Fortinet disclosed two critical FortiSandbox vulnerabilities in April 2026 that allow unauthenticated execution of OS commands or authentication bypass via crafted HTTP requests, affecting specific 4.4 and 5.0 versions. While no exploitation has been observed, the flaws expose security tooling that is often trusted and internally accessible, increasing risk if systems are unpatched. Organizations need to inventory FortiSandbox deployments, confirm affected versions, and apply vendor updates to reduce exposure.
Threat summary
On April 14, 2026, Fortinet published two Product Security Incident Response Team (PSIRT) advisories, FG-IR-26-100 and FG-IR-26-112, addressing critical vulnerabilities in FortiSandbox, its malware analysis and sandboxing platform.
FortiSandbox is commonly deployed on premises and may be accessible to other security systems or internal networks. As a result, vulnerabilities affecting FortiSandbox introduce risk to security tooling that is often implicitly trusted within enterprise environments.
The vulnerabilities allow an unauthenticated threat actor to execute operating system commands or bypass authentication using specially crafted HTTP requests. Both vulnerabilities are rated critical, with a Common Vulnerability Scoring System (CVSS) version 3.1 base score of 9.1.
CVE-2026-39808
The first vulnerability, tracked as CVE-2026-39808, is an operating system command injection issue in the FortiSandbox application programming interface. Successful exploitation allows an unauthenticated threat actor to execute unauthorized commands on the affected system.
This vulnerability impacts FortiSandbox versions 4.4.0 through 4.4.8. Fortinet states that FortiSandbox 5.0 and FortiSandbox Platform-as-a-Service deployments are not affected by this issue. CVE-2026-39808 is resolved by upgrading FortiSandbox 4.4 deployments to version 4.4.9 or later.
CVE-2026-39813
The second vulnerability, CVE-2026-39813, is a path traversal flaw in the FortiSandbox Java Remote Procedure Call interface. Exploitation allows an unauthenticated threat actor to bypass authentication controls and escalate privileges.
This vulnerability affects FortiSandbox versions 4.4.0 through 4.4.8 and FortiSandbox versions 5.0.0 through 5.0.5. CVE-2026-39813 is resolved by upgrading FortiSandbox 4.4 deployments to version 4.4.9 or later and FortiSandbox 5.0 deployments to version 5.0.6 or later. Fortinet states that FortiSandbox 5.2 is not affected by CVE-2026-39813.
Analysis
Fortinet reports no evidence of exploitation in the wild at the time of publication. Both vulnerabilities are exploitable over the network and do not require valid credentials, prior access, or user interaction.
The potential impact depends on how FortiSandbox is deployed and exposed. Compromise could undermine the integrity of malware analysis workflows, expose analyzed artifacts, or provide a foothold within trusted network segments.
Organizations can reduce exposure by identifying FortiSandbox instances, validating deployed versions, and applying vendor updates. Restricting network access to FortiSandbox interfaces can limit exposure but does not remediate the vulnerabilities themselves.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
