Fortinet has released security updates for two critical vulnerabilities affecting FortiAuthenticator and FortiSandbox. Both vulnerabilities are rated Critical, carry a CVSS score of 9.1, and may allow an unauthenticated attacker to execute unauthorized code or commands on vulnerable systems.
.
The two vulnerabilities are:
| CVE | Product | Vulnerability Type | Impact |
| CVE-2026-44277 | FortiAuthenticator | Improper Access Control | Unauthenticated code or command execution |
| CVE-2026-26083 | FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS | Missing Authorization | Unauthenticated code or command execution via HTTP requests |
Technical Details
CVE-2026-44277: FortiAuthenticator Improper Access Control
CVE-2026-44277 affects FortiAuthenticator, Fortinet’s identity and access management solution used for authentication, MFA, SSO, and access control across enterprise environments. Fortinet describes the issue as an Improper Access Control vulnerability in FortiAuthenticator API endpoints. A remote unauthenticated attacker may be able to exploit the flaw using crafted requests to execute unauthorized code or commands.
Affected versions include:
| Product Version | Affected Versions | Fixed Version |
| FortiAuthenticator 8.0 | 8.0.0, 8.0.2 | Upgrade to 8.0.3 or later |
| FortiAuthenticator 6.6 | 6.6.0 through 6.6.8 | Upgrade to 6.6.9 or later |
| FortiAuthenticator 6.5 | 6.5.0 through 6.5.6 | Upgrade to 6.5.7 or later |
Fortinet states that FortiAuthenticator Cloud is not impacted by CVE-2026-44277.
CVE-2026-26083: FortiSandbox Missing Authorization
CVE-2026-26083 affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet describes the issue as a Missing Authorization vulnerability in the FortiSandbox web UI. An unauthenticated attacker may be able to send HTTP requests to execute unauthorized code or commands on affected systems.
Affected versions include:
| Product Version | Affected Versions | Fixed Version / Action |
| FortiSandbox 5.0 | 5.0.0 through 5.0.1 | Upgrade to 5.0.2 or later |
| FortiSandbox 4.4 | 4.4.0 through 4.4.8 | Upgrade to 4.4.9 or later |
| FortiSandbox Cloud 24 | All versions | Migrate to a fixed release |
| FortiSandbox Cloud 23 | All versions | Migrate to a fixed release |
| FortiSandbox Cloud 5.0 | 5.0.2 through 5.0.5 | Upgrade to 5.0.6 or later |
| FortiSandbox PaaS 23.4 / 23.3 / 23.1 / 22.2 / 22.1 / 21.4 / 21.3 | All versions listed | Migrate to a fixed release |
| FortiSandbox PaaS 5.0 | 5.0.0 through 5.0.1 | Upgrade to 5.0.2 or later |
| FortiSandbox PaaS 4.4 | 4.4.5 through 4.4.8 | Upgrade to 4.4.9 or later |
Impact
Successful exploitation could give attackers the ability to execute commands or code on vulnerable Fortinet systems. This is particularly sensitive because the affected products sit close to identity, authentication, malware analysis, and security enforcement workflows.
For FortiAuthenticator, compromise could create risk around authentication infrastructure, MFA workflows, SSO integrations, administrative access, and identity-based controls. For FortiSandbox, exploitation could undermine a system used to inspect suspicious files, URLs, and potentially malicious activity before it reaches users or internal systems.
At a practical level, these vulnerabilities should be treated as high-priority remediation items, especially where FortiAuthenticator or FortiSandbox management interfaces are exposed to the internet or reachable from less-trusted network segments.
Recommendations
Organizations using FortiAuthenticator or FortiSandbox should take the following actions:
- Identify affected assets
Confirm whether FortiAuthenticator, FortiSandbox, FortiSandbox Cloud, or FortiSandbox PaaS are in use across the environment. - Apply Fortinet security updates
Upgrade FortiAuthenticator to 8.0.3, 6.6.9, or 6.5.7 depending on the deployed branch. Upgrade FortiSandbox to the fixed versions listed by Fortinet, or migrate FortiSandbox Cloud/PaaS deployments to a fixed release. - Restrict access to management interfaces
Limit access to Fortinet administrative portals, APIs, and web interfaces to trusted management networks, VPNs, or allowlisted administrator IP ranges. - Review logs for suspicious activity
Investigate unusual API access, unexpected HTTP requests to FortiSandbox web interfaces, new or modified administrative users, authentication configuration changes, and unexplained system commands or process activity.
Stay Safe. Stay Secure
OP Innovate Research Team
