CVE-2026-26083
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk50th percentile — higher than 50% of all known CVEs
Summary
A missing authorization vulnerability in Fortinet FortiSandbox allows an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. The issue affects multiple versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.
Risk Assessment
The risk for the organization includes remote takeover of the FortiSandbox appliance without authentication, potentially leading to compromise of data confidentiality, integrity, and availability, as well as infrastructure security.
Recommendation
Immediately upgrade FortiSandbox to the latest available version and apply security patches provided by the vendor. Restrict management interface access to trusted networks only.
Original NVD description (English source)
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

