FortiSandbox critical RCE disclosed

Fortinet disclosed a critical FortiSandbox vulnerability on May 12 that the company said could let an unauthenticated attacker execute unauthorized code or commands through HTTP requests against the product’s web interface. The issue is tracked as CVE-2026-26083 and appears in Fortinet’s PSIRT advisory FG-IR-26-136, which covers FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS. The National Vulnerability Database lists the flaw as a missing authorization issue, or CWE-862, and shows a CVSS 3.1 base score of 9.8. ### Which Fortinet products and versions are affected? Fortinet’s advisory says the affected on-premises releases are FortiSandbox 5.0.0 through 5.0.1 and 4.4.0 through 4.4.8. The same notice says FortiSandbox Cloud 5.0.2 through 5.0.5 is affected, alongside FortiSandbox Cloud 23 and 24 releases that require migration to a fixed release rather than an in-place patch. The PSIRT entry also lists multiple FortiSandbox PaaS branches as affected, including 23.4, 23.3, 23.1, 22.2, 22.1, 21.4 and 21.3, plus PaaS 5.0.0 through 5.0.1 and 4.4.5 through 4.4.8. (fortiguard.fortinet.com) NVD mirrors those version ranges in its record for CVE-2026-26083. ### What does Fortinet say the flaw allows? Fortinet’s description says “a missing authorization vulnerability” in the FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS web UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. (fortiguard.fortinet.com) NVD uses nearly the same language in its description of the bug. The 9.8 CVSS 3.1 score attached to the CVE reflects network-based exploitation with low attack complexity, no privileges required and no user interaction, according to the NVD entry. (fortiguard.fortinet.com) That scoring does not by itself confirm active exploitation, but it does place the flaw in the critical tier. ### Is there any public sign of active exploitation? CISA’s Known Exploited Vulnerabilities catalog was available on May 18, but the search results reviewed for this story did not show CVE-2026-26083 as a catalog entry. (fortiguard.fortinet.com) CISA says the KEV list is its authoritative source for vulnerabilities known to have been exploited in the wild. Fortinet’s advisory, as captured in the PSIRT notice, says the issue was “internally discovered and reported by Adham El karn of Fortinet Product Security team.” The timeline in that notice shows an initial publication date of May 12, 2026. (nvd.nist.gov) ### What fixes did Fortinet publish? Fortinet’s advisory directs customers on FortiSandbox 5.0.0 through 5.0.1 to upgrade to 5.0.2 or above, and customers on 4.4.0 through 4.4.8 to upgrade to 4.4.9 or above. (cisa.gov) For FortiSandbox Cloud 5.0.2 through 5.0.5, the company says customers should move to 5.0.6 or above. Fortinet’s document library includes release notes for FortiSandbox 5.0.2, one of the fixed on-premises versions named in the advisory. (fortiguard.fortinet.com) The advisory also says several cloud and PaaS branches should migrate to a fixed release, indicating that the remediation path differs by deployment model. ### Why were security researchers circulating warnings on May 18? (fortiguard.fortinet.com) May 18 social-media posts and community write-ups amplified the advisory after the vendor notice had already been published on May 12. One security news report published six days after the advisory said Fortinet had released patches for critical flaws in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code. (docs.fortinet.com) Fortinet’s own PSIRT index shows FortiSandbox among the products with current advisories and lists hundreds of PSIRT notices across the company’s portfolio. That index is where the vendor is maintaining the FortiSandbox advisory referenced by NVD. Fortinet’s next concrete step for affected customers is the upgrade path in FG-IR-26-136: 5.0.2 or later for FortiSandbox 5.0, 4.4.9 or later for 4.4, and 5.0.6 or later for affected FortiSandbox Cloud 5.0 deployments. (bleepingcomputer.com) (fortiguard.fortinet.com) (fortiguard.com)