Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 15, 2026
CVE-2026-26083
CVE-2026-26083
Description
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.
Affected products
2- Range: >=4.4.0, <=5.0.1 and others
- Range: >=5.0.2, <=5.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- fortiguard.fortinet.com/psirt/FG-IR-26-136nvdVendor Advisory
News mentions
4- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation FlawsThe Hacker News · May 18, 2026
- Fortinet, Ivanti Patch Critical VulnerabilitiesSecurityWeek · May 13, 2026
- Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticatorBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026