Check FortiSandbox Exposure: Cloudflare Adds CVE-2026-39813 WAF Logging
Cloudflare scheduled a new managed WAF detection for Fortinet FortiSandbox CVE-2026-39813 on June 29, 2026. The rule starts in log mode, so teams still need patching, exposure review, and monitoring.
Cloudflare has scheduled a new WAF detection for Fortinet FortiSandbox CVE-2026-39813 on June 29, 2026. Confidence level: confirmed for the Cloudflare WAF logging update and confirmed for the Fortinet/NVD vulnerability record. The Cloudflare rule starts in log mode, so it should trigger review, not replace patching.
What changed
Cloudflare's scheduled WAF release lists a new detection for "Fortinet FortiSandbox - Path Traversal - CVE:CVE-2026-39813" with a June 29, 2026 release date. The listed release behavior is log, not block.
Fortinet's PSIRT advisory describes CVE-2026-39813 as a path traversal vulnerability in the FortiSandbox JRPC API that may let an unauthenticated attacker bypass authentication through specially crafted HTTP requests. NVD records affected FortiSandbox 4.4 and 5.0 ranges and points to Fortinet's patched versions.
Key takeaways
- Cloudflare added a managed WAF detection for CVE-2026-39813, but the scheduled action is log.
- Fortinet says affected FortiSandbox 4.4 deployments should upgrade to 4.4.9 or later.
- Fortinet says affected FortiSandbox 5.0 deployments should upgrade to 5.0.6 or later.
- NVD records the issue as CVE-2026-39813 and lists Fortinet as the source.
- Treat WAF logs as a signal to hunt and patch, not as proof that the appliance is safe.
Availability and access
The Cloudflare detection is available through Cloudflare's managed WAF ruleset path, subject to how your zones, rulesets, and overrides are configured. Because the scheduled release behavior is log, teams should verify whether they need a local action override after testing for false positives.
Fortinet's vendor path is version-based. FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5 are the key affected ranges surfaced by Fortinet/NVD; Fortinet lists 4.4.9 and 5.0.6 or later as upgrade targets.
Practical LinkLoot angle
This is a monitoring-first security update. Use Cloudflare's log signal to find exposure, suspicious request patterns, and missed appliances, then close the loop with a Fortinet upgrade.
| Check | What to look for | Why it matters |
|---|---|---|
| Cloudflare WAF events | Matches on the new FortiSandbox CVE-2026-39813 detection | Shows whether traffic is hitting the detection path |
| FortiSandbox version | 4.4.0-4.4.8 or 5.0.0-5.0.5 | Confirms whether the appliance needs an upgrade |
| Exposure | Internet-facing management/API paths | Determines urgency and compensating controls |
| Patch status | 4.4.9+ or 5.0.6+ | Confirms durable remediation |
If your team uses automation for security hygiene, turn this into a repeatable ticket template: asset, version, exposure, WAF event count, patch owner, rollback plan, and post-patch verification. LinkLoot's AI workflow automation guide can help structure those repeatable checks.
What to verify before you act
- Confirm whether your Cloudflare zone has the relevant managed WAF ruleset enabled.
- Check whether the new rule remains in log mode or has a local override.
- Compare every FortiSandbox appliance against Fortinet's fixed versions.
- Review WAF and appliance logs for activity before the June 29 detection.
- Recheck Fortinet's advisory for any follow-up guidance or related CVEs in the same product family.
Source check
Confirmed by: Cloudflare's changelog confirms the scheduled June 29 WAF detection and its log-mode behavior. Fortinet's PSIRT advisory confirms the vulnerability summary and upgrade targets. NVD confirms the CVE record, affected version ranges, and Fortinet as the source.
Context: Qualys reported exploitation activity involving multiple FortiSandbox vulnerabilities, including CVE-2026-39813. Treat that as threat context, not as a replacement for vendor patch guidance or your own logs.
The scheduled Cloudflare entry lists the release behavior as log, not block.