CVE-2026-26083: Missing authorization in Fortinet FortiSandbox

Summary

Parameter	Value
CVE ID	CVE-2026-26083
Alert Source	GitHub Advisory - Critical Vulnerability
CVE Publication Year	2026
Date Published	2026-05-12
Vendor	Fortinet
Product	FortiSandbox
CVSS Score	9.8 (critical)
EPSS Score	No data
CISA KEV	No
Ransomware	Not confirmed

Vulnerability Description

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow a remote, unauthenticated attacker to bypass authorization checks and perform unauthorized actions.

Required Actions

Apply vendor patches or mitigations as soon as available.

Who Is Affected?

This vulnerability affects FortiSandbox by Fortinet. Check if your organization uses this software and requires updates.

Sources

• NVD - CVE-2026-26083

• FIRST EPSS

---

Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.