Unauthenticated remote code execution confirmed in FortiAuthenticator (CVE-2026-44277)

Fortinet disclosed on May 12 a critical vulnerability, tracked as CVE-2026-44277, that it said could let an unauthenticated attacker execute unauthorized code or commands on vulnerable FortiAuthenticator systems via crafted requests. The company assigned the flaw a CVSS v3 score of 9.1 and described the issue as improper access control on API endpoints. Fortinet published the issue in PSIRT advisory FG-IR-26-128 and said it was not known to be exploited at the time of publication. The disclosure matters in part because early social posts and secondary write-ups mixed FortiAuthenticator and FortiSandbox in the same patch cycle. Fortinet’s own advisories separate them: CVE-2026-44277 applies to FortiAuthenticator, while a different critical flaw, CVE-2026-26083, affects FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS. Both issues were rated 9.1 and both allow unauthenticated code or command execution, but they are distinct advisories and products. (fortiguard.fortinet.com) ### Which product does CVE-2026-44277 actually affect? Fortinet’s advisory says CVE-2026-44277 affects FortiAuthenticator, not FortiSandbox. The company described the bug as “improper access control on API endpoints” and said crafted requests could let an unauthenticated attacker run unauthorized code or commands. NIST’s National Vulnerability Database entry for CVE-2026-44277 reflects the same product and weakness description. (fortiguard.fortinet.com) BleepingComputer and CSO Online reported the same split on May 12, saying Fortinet had issued patches for two separate critical flaws disclosed in the same cycle: one in FortiAuthenticator and one in FortiSandbox. That distinction is central for defenders trying to map exposure quickly across product inventories. (fortiguard.fortinet.com) ### What did Fortinet say the bug allows an attacker to do? Fortinet said an unauthenticated attacker could execute unauthorized code or commands through crafted requests. The advisory ties the issue to CWE-284, improper access control, and marks the attack type as unauthenticated. The listed impact and severity place it among the more urgent classes of appliance flaws because exploitation would not require valid credentials. (bleepingcomputer.com) The CVSS v3 score is 9.1. Secondary reporting from Security Affairs and CSO Online repeated that score and said the flaw could be abused to run commands or arbitrary code on unpatched systems. ### Why are people also talking about FortiSandbox? Fortinet published a separate advisory, FG-IR-26-136, for CVE-2026-26083. (fortiguard.fortinet.com) That issue affects the FortiSandbox web interface, including FortiSandbox Cloud and FortiSandbox PaaS, and the company said it could also allow unauthenticated code or command execution over HTTP requests. The overlap in timing, severity and attack type appears to have led some posts and summaries to blur the two flaws together. (securityaffairs.com) Based on Fortinet’s advisories, that is an inference from the side-by-side disclosures rather than wording used by the company itself. ### Which versions are affected and what is the fix? Fortinet’s PSIRT advisory for CVE-2026-44277 includes affected-version tables and directs customers to upgrade to remediated FortiAuthenticator releases. (fortiguard.fortinet.com) The advisory page is the authoritative source for exact version cutoffs and upgrade targets because Fortinet updates those tables as needed. Fortinet also maintains the advisory status, including whether exploitation is known. (fortiguard.fortinet.com) As of the published advisory captured by current sources, the company said the flaw was not known to be exploited. ### What should defenders check first? Fortinet customers should first confirm whether they run FortiAuthenticator, FortiSandbox, or both, because CVE-2026-44277 and CVE-2026-26083 are separate issues with separate advisories. (fortiguard.fortinet.com) The next step is to compare deployed versions against Fortinet’s affected-version tables and apply the vendor’s fixed releases. Fortinet’s next step for customers is on the FortiGuard Labs PSIRT pages for FG-IR-26-128 and FG-IR-26-136, where the company posts version guidance, CVRF and CSAF files, and any later advisory updates. (fortiguard.fortinet.com)