CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE

Fortinet's 2026-05-13 PSIRT batch addresses two unauthenticated remote-code-execution flaws on management-plane Fortinet appliances common in Swiss federal and cantonal estates. CVE-2026-44277 (FortiAuthenticator, the SAML / RADIUS / 802.1X identity broker) and CVE-2026-26083 (FortiSandbox, the malware-analysis appliance) are both pre-auth network-reachable and CVSS ≥ 9. Daily 2026-05-13 confirmed patched builds; no ITW exploitation reported at week-end. Operational implication: FortiAuthenticator sits at the centre of identity-broker trust chains in many public-sector network architectures, so a compromised FortiAuthenticator yields cross-domain credential-issuance capability that is materially worse than a typical RCE — patch state should be verified explicitly on every FortiAuthenticator deployment (Fortinet PSIRT FG-IR-26-128 / FG-IR-26-136; daily 2026-05-13).