Zero Day MonitorZDM

← Back to list

9.1

CVE-2026-26083PATCHED

Fortinet · FortiSandbox Cloud

CVE-2026-26083: A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, Fo

Description

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

Affected Products

Vendor	Product	Versions
Fortinet	FortiSandbox Cloud	5.0.0, 4.4.5, 5.0.0, 4.4.0, 4.2.1, 23.4.4374, 23.4.4350, 23.3.4329, 23.1.4245, 22.2.4151, 22.2.4134, 22.1.4113, 21.4.4072, 21.3.4055, 5.0.0, 4.4.5

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fortinet	fortisandbox	mitre_affected	90%
fortinet	fortisandbox paas	mitre_affected	90%

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-136

Related News (2 articles)

Tier C

VulDB5h ago

CVE-2026-26083 | Fortinet FortiSandbox Cloud/FortiSandbox/FortiSandbox PaaS up to 4.4.8/5.0.1 HTTP Request authorization (FG-IR-26-136)

→ No new info (linked only)

Tier A

Fortinet PSIRT16h ago

Incorrect global authorization

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CISA KEV❌ No

Actively exploited❌ No

Patch available

5.0.2

CWECWE-862

PublishedMay 12, 2026

Last enriched6h agov2

Tags

authorizationunauthenticated access

Trending Score55

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-35616EXPKEV

CVE-2026-35616: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta

CRITICALCVE-2026-44277EXP

CVE-2026-44277: A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticat

HIGHCVE-2025-53844EXP

CVE-2025-53844: A out-of-bounds write vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0

MEDIUMCVE-2025-53680EXP

CVE-2025-53680: An improper neutralization of special elements used in an OS command ("OS Command Injection") vulnerability [CWE-78] vul

MEDIUMCVE-2025-53870EXP

CVE-2025-53870: An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 12, 2026

Discovered by ZDM

May 12, 2026

Updated: affectedVersions, patchAvailable, tags

May 12, 2026

Patch Available

May 12, 2026

Version History

v2

Last enriched 6h ago

v2Tier A6h ago

Updated affected versions to include 4.4.9 and 5.0.6, and added tags related to authorization and unauthenticated access.

affectedVersionspatchAvailabletags

via Fortinet PSIRT

v16h ago

Initial creation