A critical path traversal vulnerability (CVE-2026-39813, CVSSv3 9.1) in the FortiSandbox JRPC API allows unauthenticated attackers to bypass authentication and escalate privileges via specially crafted HTTP requests. Affected versions are FortiSandbox 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. The vulnerability is remediated by upgrading to FortiSandbox 5.0.6 or above, or to version 4.4.9 or above.
PSIRT Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox Summary A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. Version Affected Solution FortiSandbox 5.2 Not affected Not Applicable FortiSandbox 5.0 5.0.0 through 5.0.5 Upgrade to 5.0.6 or above FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above FortiSandbox 4.2 Not affected Not Applicable Acknowledgement Internally discovered and reported by Loic Pantano of Fortinet PSIRT Timeline 2026-04-14: Initial publication IR Number FG-IR-26-112 Published Date Apr 14, 2026 Component API Severity Critical Discovered Internal Attack Type Unauthenticated Known Exploited No CVSSv3 Score 9.1 Impact Escalation of privilege CVE ID CVE-2026-39813 Download CVRF CSAF