CVE-2026-26083

CVE-2026-26083 PUBLISHED

Assigner: fortinet
Reserved: 11.02.2026 Published: 12.05.2026 Updated: 13.05.2026

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Fortinet
Product	FortiSandbox Cloud
Versions	Default: unaffected affected from 5.0.0 to 5.0.1 (incl.) affected from 4.4.5 to 4.4.8 (incl.)

Vendor

Fortinet

Product

FortiSandbox Cloud

Versions

Default: unaffected

affected from 5.0.0 to 5.0.1 (incl.)
affected from 4.4.5 to 4.4.8 (incl.)

Vendor	Fortinet
Product	FortiSandbox
Versions	Default: unaffected affected from 5.0.0 to 5.0.1 (incl.) affected from 4.4.0 to 4.4.8 (incl.) affected from 4.2.1 to 4.2.8 (incl.)

Vendor

Fortinet

Product

FortiSandbox

Versions

Default: unaffected

affected from 5.0.0 to 5.0.1 (incl.)
affected from 4.4.0 to 4.4.8 (incl.)
affected from 4.2.1 to 4.2.8 (incl.)

Vendor	Fortinet
Product	FortiSandbox PaaS
Versions	Default: unaffected Version 23.4.4374 is affected Version 23.4.4350 is affected Version 23.3.4329 is affected Version 23.1.4245 is affected Version 22.2.4151 is affected Version 22.2.4134 is affected Version 22.1.4113 is affected Version 21.4.4072 is affected Version 21.3.4055 is affected affected from 5.0.0 to 5.0.1 (incl.) affected from 4.4.5 to 4.4.8 (incl.)

Vendor

Fortinet

Product

FortiSandbox PaaS

Versions

Default: unaffected

Version 23.4.4374 is affected
Version 23.4.4350 is affected
Version 23.3.4329 is affected
Version 23.1.4245 is affected
Version 22.2.4151 is affected
Version 22.2.4134 is affected
Version 22.1.4113 is affected
Version 21.4.4072 is affected
Version 21.3.4055 is affected
affected from 5.0.0 to 5.0.1 (incl.)
affected from 4.4.5 to 4.4.8 (incl.)

Solutions

Fortinet remediated this issue in FortiSandbox Cloud version 5.0.2 and hence customers do not need to perform any action. Fortinet remediated this issue in FortiSandbox Cloud version 4.4.9 and hence customers do not need to perform any action. Upgrade to FortiSandbox version 5.0.2 or above Upgrade to FortiSandbox version 4.4.9 or above Upgrade to FortiSandbox PaaS version 5.0.2 or above Upgrade to FortiSandbox PaaS version 4.4.9 or above

References

Problem Types

Execute unauthorized code or commands CWE