Two vulnerabilities (CVE-2026-39813, CVE-2026-39808) in FortiSandbox could be leveraged by unauthenticated attackers to bypass authentication and execute unauthorized code or commands on vulnerable systems.
Both vulnerabilities can be triggered with a specially crafted HTTP request, putting unpatched FortiSandbox deployments at risk.
About FortiSandbox
FortiSandbox is Fortinet’s security solution for detecting and analyzing advanced threats. It does so by detonating suspicious files and URLs in an isolated environment and returning verdicts.
Other Fortinet products – firewalls, email security appliances, endpoint security clients, SIEMs, SOARs – depend on those verdict to enforce blocking decisions or to trigger alerts and automated playbooks. FortiSandbox connects with those solutions through the Fortinet Security Fabric.
The fixed vulnerabilities
CVE-2026-39813 is a path traversal vulnerability in FortiSandbox’s JRPC API, and could allow attackers to bypass authentication on systems running FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8.
CVE-2026-39808 affects an unspecified API in FortiSandbox versions 4.4.0 through 4.4.8, allowing unauthenticated code/command execution by taking advantage of improper neutralization of special elements used in an OS command.
Both vulnerabilities have been disclosed to Fortinet by researchers: CVE-2026-39813 was flagged by Loic Pantano of Fortinet’s own PSIRT team, and CVE-2026-39808 by Samuel de Lucas Maroto from KPMG Spain.
There is currently no indication they have been or are being exploited by attackers, but a compromised FortiSandbox instance could be used to pass off malicious files as clean to dependent Fortinet products or as a foothold into / for lateral movement within enterprise networks.
In this latest batch of security updates, Fortinet has also fixed three internally-discovered, medium-severity vulnerabilities affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.
Two (CVE-2025-61886, CVE-2026-39812) allow cross-site scripting attacks, and one (CVE-2026-25691) may enable “a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
