The flaw in FortiAuthenticator, tracked as CVE-2026-44277, has a 9.1 CVSS severity score and is described as an improper access control issue. Successful exploitation allows unauthenticated attackers to execute unauthorized code and commands by sending specifically crafted requests.
An identity and access management (IAM) solution, FortiAuthenticator serves as the central hub for RADIUS, LDAP, and SAML authentication. It integrates with Active Directory and supports single sign-on and multi-factor authentication. To patch this new vulnerability, companies are advised to upgrade to FortiAuthenticator 6.5.7, 6.6.9, or 8.0.3 depending on the release they’re using.
The flaw in FortiSandbox is a missing authorization issue that similarly allows unauthenticated attackers to execute arbitrary code and commands via HTTP requests. Tracked as CVE-2026-26083, the vulnerability also has a severity score of 9.1.
FortiSandbox is a threat detection solution designed to identify zero-day threats by using machine learning to perform static and dynamic analysis on suspicious files inside an isolated environment. It integrates with other Fortinet security products such as FortiGate and FortiMail and comes in different variants, including hardware and virtual appliances.
