Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 15, 2026
CVE-2026-26083
CVE-2026-26083
Description
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2>=4.4.0, <=5.0.1 and others+ 1 more
- (no CPE)range: >=4.4.0, <=5.0.1 and others
- (no CPE)range: >=5.0.2, <=5.0.5
Patches
Vulnerability mechanics
References
1- fortiguard.fortinet.com/psirt/FG-IR-26-136nvdVendor Advisory
News mentions
5- Critical Fortinet FortiSandbox flaws now exploited in attacksBleepingComputer · Jun 16, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation FlawsThe Hacker News · May 18, 2026
- Fortinet, Ivanti Patch Critical VulnerabilitiesSecurityWeek · May 13, 2026
- Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticatorBleepingComputer · May 12, 2026