CVE-2026-4266 HIGH

CVE-2026-4266: WatchGuard Firebox Insecure Deserialization in Fireware Access Portal

Vendor Watchguard
Product Fireware OS
Weakness CWE-502 · Unsafe deserialization
Published March 30, 2026
Last update March 31, 2026
View on NVD All CVEs

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An Insecure Deserialization vulnerability in WatchGuard Fireware OS allows an attacker that has obtained write access to the local filesystem through another vulnerability to execute arbitrary code in the context of the portald user.This issue affects Fireware OS: 12.1 through 12.11.8 and 2025.1 through 2026.1.2. Note, this vulnerability does not affect Firebox platforms that do not support the Access Portal feature, including the T-15 and T-35.

Key dates

02Disclosure timeline

March 30, 2026 CVE published
March 31, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-39297 Deserialization of untrusted data in MelisCms CVE-2026-26978 Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php CVE-2026-24747 PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files CVE-2023-33008 Apache Johnzon: Prevent inefficient internal conversion from BigDecimal at large scale CVE-2026-33728 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution