Root Access Unlocked: FortiSandbox CVE-2026-39808 Details and PoC Exploit Publicly Disclosed
Ddos 
Image: Samuel de Lucas Maroto
A critical vulnerability in FortiSandbox has been disclosured. The flaw, tracked as CVE-2026-39808, carries a devastating CVSS score of 9.1, allowing unauthenticated attackers to seize full control of the sandbox environment with the highest possible privileges.
The full technical details and a functional proof-of-concept (PoC) exploit have been publicly disclosed, effectively providing a roadmap for potential exploitation.
The vulnerability is a classic case of Improper Neutralization of Special Elements used in an OS Command (CWE-78). It resides within the /fortisandbox/job-detail/tracer-behavior endpoint, specifically targeting the jid GET parameter.
By utilizing the pipe symbol (|), an attacker can “break out” of the intended command structure and inject their own instructions. Because the service handles these requests with elevated permissions, a successful injection results in Remote Code Execution (RCE) as the root user.
According to the public disclosure by researcher Samuel de Lucas Maroto, a single, unauthenticated curl command is enough to trigger the vulnerability:
This command forces the server to execute the id command and pipe the output to a publicly accessible web directory, proving that the attacker has achieved full system execution without ever needing a username or password.
Fortinet has acknowledged the flaw and provided a clear remediation path. The vulnerability primarily impacts the 4.4 branch of the software.
| Product Version | Status | Recommended Action |
| FortiSandbox 5.0 | Not Affected | No action required |
| FortiSandbox PaaS 5.0 | Not Affected | No action required |
| FortiSandbox 4.4.0β4.4.8 | Vulnerable | Upgrade to 4.4.9 or above |
Security teams are urged to treat this as a “patch now” priority.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
