CVE-2026-39813: Critical Path Traversal in FortiSandbox Allows Privilege Escalation
CVE-2026-39813 is a critical (CVSS 9.1) CWE-24 path traversal flaw in Fortinet FortiSandbox 4.4.x and 5.0.x that lets unauthenticated remote attackers escalate privileges via crafted HTTP requests.
TL;DR
- CVE-2026-39813 is a critical path traversal (CWE-24) vulnerability in Fortinet FortiSandbox and FortiSandbox Cloud.
- CVSS base score: 9.1 - exploitable remotely, with no authentication and no user interaction required.
- Affected versions: FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 (including Cloud variant).
- No confirmed in-the-wild exploitation at the time of writing; not listed in the CISA KEV catalog.
- Immediate action: apply the patch detailed in the Fortinet PSIRT advisory FG-IR-26-112 and restrict management interface access.
What is CVE-2026-39813?
CVE-2026-39813 is a path traversal flaw in Fortinet FortiSandbox that allows a remote, unauthenticated attacker to send specially crafted HTTP requests containing directory-traversal sequences (../filedir) to escape the intended file-access boundary and escalate their privileges on the appliance. The weakness is classified as CWE-24 and was published on 2026-04-14.
FortiSandbox is a threat-detection platform used to detonate and analyze suspicious files and URLs. A privilege escalation flaw on this appliance is especially damaging because the device sits at an inspection choke-point and typically holds elevated integration credentials for other Fortinet and third-party security products.
Who is affected?
The following products and version ranges are confirmed vulnerable per the CVE record:
- Fortinet FortiSandbox 5.0.0 through 5.0.5
- Fortinet FortiSandbox 4.4.0 through 4.4.8
- Fortinet FortiSandbox Cloud (all editions within the affected release bands)
Organizations running FortiSandbox in any of these version ranges - whether on-premises hardware, virtual machine, or the hosted Cloud offering - should treat this as a priority remediation item.
How severe is it?
The CVSS 3.1 base score of 9.1 (Critical) reflects a worst-case combination of exploitability factors:
| Factor | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable over the internet |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No account needed |
| User Interaction | None | Fully automated attack possible |
| Confidentiality Impact | High | Sensitive files exposed |
| Integrity Impact | High | Files or config can be written/modified |
| Availability Impact | High | Appliance stability at risk |
The temporal metrics (Exploit code maturity: Functional, Remediation Level: Official Fix, Report Confidence: Confirmed) indicate that functional exploit techniques are understood and an official fix exists. The high integrity and confidentiality impacts are particularly alarming on a security appliance: an attacker who elevates privileges on FortiSandbox could tamper with file analysis results, extract API tokens used for fabric integrations, or use the appliance as a pivot point deeper into the network.
Is it being exploited?
At the time of writing, CVE-2026-39813 does not appear in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no public reports of in-the-wild exploitation have been confirmed. However, the following factors elevate the risk level significantly:
- The CVSS temporal metric lists exploit maturity as Functional, meaning working exploit techniques are plausible even without a public proof-of-concept.
- The combination of no authentication required and a network-accessible attack vector means opportunistic scanning could reach vulnerable appliances quickly after any public disclosure.
- FortiSandbox management interfaces exposed to the internet are high-value targets for state-sponsored and financially motivated threat actors who have historically focused on Fortinet products.
Administrators should not wait for a KEV listing before acting.
How to fix and mitigate it
-
Apply the vendor patch immediately. Fortinet has published an official fix. Refer to Fortinet PSIRT advisory FG-IR-26-112 for the exact fixed build numbers and upgrade paths. Do not rely on version numbers published anywhere other than the official advisory.
-
Restrict management interface access. If patching is not immediately possible, limit HTTP/HTTPS access to the FortiSandbox management interface using firewall rules or local policies:
# Example: allow management only from a trusted admin subnet
config system interface
edit "mgmt"
set allowaccess https ssh
set trust-ip-1 192.0.2.0/24 # replace with your admin subnet
next
end
-
Disable unnecessary HTTP services. Turn off any web-accessible features not required for operations to shrink the attack surface.
-
Segment FortiSandbox from internet-facing networks. Place the appliance behind a dedicated management VLAN or out-of-band network so only authorized systems can reach it.
-
Monitor for anomalous HTTP requests. Enable and review FortiSandbox system logs for requests containing
../or encoded traversal sequences (%2e%2e%2f,%2e%2e/). -
Review fabric integration credentials. After patching, rotate any API keys, service account passwords, or certificates that FortiSandbox uses to communicate with other Fortinet or third-party systems - treating them as potentially compromised.
How to detect exposure
Version check - confirm your build is in the affected range:
# On the FortiSandbox CLI
get system status | grep Version
If the output shows any build between 4.4.0-4.4.8 or 5.0.0-5.0.5, the appliance is vulnerable.
Log review - search for traversal attempts:
# Look for encoded or literal traversal patterns in HTTP logs
grep -E '\.\./|\.\.\\ |%2e%2e|%252e' /var/log/httpd/access_log
Network scan - identify exposed management ports:
Use your internal scanner to verify whether TCP 443 (or any configured management port) on FortiSandbox appliances is reachable from untrusted network segments. Any positive result should trigger immediate interface restriction.
EDR/SIEM correlation: Alert on HTTP 200 responses to requests matching traversal patterns against the FortiSandbox management IP range.
Frequently asked questions
Does CVE-2026-39813 require authentication to exploit?
No. The CVSS vector (PR:N, UI:N) confirms that an unauthenticated remote attacker with no user interaction can send specially crafted HTTP requests to trigger the path traversal and escalate privileges on a vulnerable FortiSandbox instance.
Which FortiSandbox versions are vulnerable?
The vulnerability affects FortiSandbox 4.4.0 through 4.4.8 and FortiSandbox 5.0.0 through 5.0.5, as well as FortiSandbox Cloud. Administrators should consult the official Fortinet advisory FG-IR-26-112 for confirmed fixed releases.
Is CVE-2026-39813 being actively exploited in the wild?
At the time of writing, CVE-2026-39813 is not listed in the CISA Known Exploited Vulnerabilities catalog. No confirmed public in-the-wild exploitation has been reported, but the critical score and no-auth requirement make rapid patching essential.
What is CWE-24 and why is it dangerous in a security appliance?
CWE-24 covers path traversal using sequences like ../filedir to escape a restricted directory. In a security appliance like FortiSandbox, this can expose sensitive configuration files or system paths, giving an attacker the footing needed to escalate privileges on the host.
