Fortinet Critical Alert: 9.1 Severity Flaws in FortiSandbox and FortiAuthenticator Risk Remote Takeover

Fortinet has issued a high-priority warning regarding two separate critical vulnerabilities affecting core security components: FortiSandbox and FortiAuthenticator. Both flaws carry a CVSS score of 9.1, signaling a “Critical” severity that could allow unauthenticated attackers to execute unauthorized code or commands.

The first vulnerability, tracked as CVE-2026-26083, targets the Web UI of FortiSandbox, including its Cloud and PaaS (Platform as a Service) variations. This is a Missing Authorization [CWE-862] flaw.

A lack of proper authorization checks in the Web UI allows an unauthenticated attacker to bypass security hurdles. By sending specifically crafted HTTP requests, an attacker can execute unauthorized code or commands on the system.

Because a sandbox is often used to analyze the most dangerous malware in an isolated environment, an escape or compromise of the sandbox itself could have devastating consequences for the broader network.

The second critical issue, tracked as CVE-2026-44277, hits FortiAuthenticator, the cornerstone of many organizations’ identity and access management (IAM) strategies. This is an Improper Access Control [CWE-284] vulnerability.

Similar to the sandbox flaw, this vulnerability allows unauthenticated attackers to send crafted requests to the system.

Attackers can execute unauthorized code or commands, potentially compromising the very system responsible for verifying user identities and managing access keys.

FortiAuthenticator Cloud is confirmed to be not impacted by this specific issue.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy