Critical FortiSandbox flaws can let unauthenticated attackers run commands or bypass authentication

Fortinet has disclosed two critical FortiSandbox vulnerabilities that could let unauthenticated attackers execute unauthorized commands or bypass authentication on exposed systems. The flaws, CVE-2026-39808 and CVE-2026-39813, both carry CVSS v3 scores of 9.1 and were published on April 14, 2026.

The first issue, CVE-2026-39808, is an OS command injection flaw in the FortiSandbox API. Fortinet says an unauthenticated attacker could exploit it through crafted HTTP requests to execute unauthorized code or commands. Fortinet also says this bug is not known to be exploited in the wild at publication time.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The second issue, CVE-2026-39813, is a path traversal flaw in the FortiSandbox JRPC API. Fortinet says it can let an unauthenticated attacker escalate privileges through crafted HTTP requests, which turns it into a serious risk for internet-facing or poorly segmented deployments.

Affected versions and fixes

CVE-2026-39808 affects FortiSandbox 4.4.0 through 4.4.8. Fortinet says customers should upgrade to version 4.4.9 or later. FortiSandbox 5.0 is not listed as affected for this specific flaw.

CVE-2026-39813 affects FortiSandbox 5.0.0 through 5.0.5 as well as FortiSandbox 4.4.0 through 4.4.8. Fortinet says affected customers should upgrade to FortiSandbox 5.0.6 or later, or 4.4.9 or later, depending on branch. The advisory also says FortiSandbox 5.2 and 4.2 are not affected.

Fortinet’s broader PSIRT listing also shows related FortiSandbox advisories published the same day, which suggests April 14 was part of a wider patch batch across multiple Fortinet products. That does not change the immediate priority here: these two FortiSandbox bugs stand out because they are critical, unauthenticated, and tied to API-facing components.

Why these bugs matter

FortiSandbox often sits in a security workflow that analyzes suspicious files and threats before they spread further across the enterprise. If an attacker can compromise that layer, they may gain access to a system trusted by defenders and connected to other parts of the environment. This is an inference based on FortiSandbox’s role and the impact described in Fortinet’s advisories.

CVE-2026-39808 is the more direct code-execution risk. CVE-2026-39813 instead focuses on privilege escalation through authentication bypass. In practice, both flaws deserve the same urgency because neither requires authentication and both hit API surfaces that attackers commonly probe first.

The good news is that Fortinet says neither vulnerability is known to be exploited in the wild so far. Even so, this is the kind of disclosure that often triggers rapid scanning once patch details become public, especially when the bugs are easy to identify by version and product. That last sentence is a general security inference, not a direct vendor statement.

Vulnerabilities at a glance

Source: Fortinet PSIRT and NVD.

What security teams should do now

• Patch FortiSandbox 4.4 systems to 4.4.9 or later.
• Patch FortiSandbox 5.0 systems to 5.0.6 or later for CVE-2026-39813.
• Restrict access to FortiSandbox APIs and management interfaces to trusted networks only. This is a defensive best practice based on the attack path described in the advisories.
• Review logs for unusual crafted HTTP requests targeting FortiSandbox API endpoints. This is a practical recommendation inferred from the attack descriptions.
• Verify whether any internet-facing FortiSandbox instances remain exposed while patching is underway.

FAQ