Fortinet has disclosed two critical vulnerabilities affecting FortiSandbox and FortiAuthenticator that could enable unauthenticated remote code execution (RCE) on exposed systems.

Tracked as CVE-2026-44277 with a severity of 9.1 (Critical) can be exploited via crafted HTTP requests without requiring authentication, allowing the unauthenticated attacker to execute unauthorised code or commands via crafted requests.

A second vulnerability tracked as CVE-2026-26083 with a severity of 9.1 (Critical) is a missing authorisation vulnerability in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorised code or commands via HTTP requests.

Although no active exploitation has been confirmed as of 12 May 2026, Fortinet appliances are frequent targets of ransomware groups and state-aligned actors, significantly increasing the likelihood of rapid weaponisation.

 Affected Products - 

FortiAuthenticator (IAM)

  • Vulnerable to improper access control
  • CVE: CVE-2026-44277
  • Affected versions:
    • 6.5.0 – 6.5.6
    • 6.6.0 – 6.6.8
    • 8.0.0 – 8.0.2
  • Not affected: FortiAuthenticator Cloud

FortiSandbox (Threat Analysis Platform)

  • Vulnerable to missing authorization in Web UI/API
  • CVE: CVE-2026-26083
  • Affected:
    • FortiSandbox (on-prem)
    • FortiSandbox Cloud
    • FortiSandbox PaaS

Vulnerability Details -

1. CVE-2026-44277 — FortiAuthenticator

  • Type: Improper Access Control (CWE-284)
  • Impact: Unauthenticated remote command/code execution
  • Attack vector: Crafted HTTP requests
  • Privileges required: None

Risk context:
Compromise of FortiAuthenticator can undermine:

  • MFA systems
  • Identity management
  • Enterprise authentication trust chains

This can enable attackers to bypass authentication protections entirely and pivot deeper into enterprise networks.

 

2. CVE-2026-26083 — FortiSandbox

  • Type: Missing Authorization (CWE-862)
  • Impact: Unauthenticated RCE via Web UI/API
  • Attack vector: Crafted HTTP requests
  • Privileges required: None

Risk context:

FortiSandbox is often deployed as a core security control. Compromise could:

  • Disable malware detection pipelines
  • Manipulate sandbox analysis results
  • Provide strategic access to internal threat intelligence

Mitigation & Remediation -

Immediate Actions

  • Patch immediately:
    • FortiAuthenticator → upgrade to:
      • 6.5.7 / 6.6.9 / 8.0.3+
    • FortiSandbox → upgrade to:
      • 5.0.2 / 4.4.9+

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touchto find out how you can protect your organisation. 

 

Contact Us