CVE-2026-26083 | THREATINT

Description

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

PUBLISHED Reserved 2026-02-11 | Published 2026-05-12 | Updated 2026-05-13 | Assigner fortinet

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Problem types

Execute unauthorized code or commands

Product status

Default status

unaffected

5.0.0 (semver)

affected

4.4.5 (semver)

affected

Default status

unaffected

5.0.0 (semver)

affected

4.4.0 (semver)

affected

4.2.1 (semver)

affected

Default status

unaffected

23.4.4374

affected

23.4.4350

affected

23.3.4329

affected

23.1.4245

affected

22.2.4151

affected

22.2.4134

affected

22.1.4113

affected

21.4.4072

affected

21.3.4055

affected

5.0.0 (semver)

affected

4.4.5 (semver)

affected

References

fortiguard.fortinet.com/psirt/FG-IR-26-136

cve.org (CVE-2026-26083)

nvd.nist.gov (CVE-2026-26083)

Download JSON