{"api_version":"1","generated_at":"2026-05-13T12:21:12+00:00","cve":"CVE-2026-26083","urls":{"html":"https://cve.report/CVE-2026-26083","api":"https://cve.report/api/cve/CVE-2026-26083.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26083","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26083"},"summary":{"title":"CVE-2026-26083","description":"A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.","state":"PUBLISHED","assigner":"fortinet","published_at":"2026-05-12 18:16:39","updated_at":"2026-05-12 18:57:02"},"problem_types":["CWE-862","CWE-862 Execute unauthorized code or commands"],"metrics":[{"version":"3.1","source":"psirt@fortinet.com","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","version":"3.1"}}],"references":[{"url":"https://fortiguard.fortinet.com/psirt/FG-IR-26-136","name":"https://fortiguard.fortinet.com/psirt/FG-IR-26-136","refsource":"psirt@fortinet.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26083","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26083","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox Cloud","version":"affected 5.0.0 5.0.1 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox Cloud","version":"affected 4.4.5 4.4.8 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox","version":"affected 5.0.0 5.0.1 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox","version":"affected 4.4.0 4.4.8 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox","version":"affected 4.2.1 4.2.8 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 23.4.4374","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 23.4.4350","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 23.3.4329","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 23.1.4245","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 22.2.4151","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 22.2.4134","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 22.1.4113","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 21.4.4072","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 21.3.4055","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 5.0.0 5.0.1 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 4.4.5 4.4.8 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Fortinet remediated this issue in FortiSandbox Cloud version 5.0.2 and hence customers do not need to perform any action.\nFortinet remediated this issue in FortiSandbox Cloud version 4.4.9 and hence customers do not need to perform any action.\nUpgrade to FortiSandbox version 5.0.2 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.2 or above\nUpgrade to FortiSandbox PaaS version 4.4.9 or above","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:fortinet:fortisandboxcloud:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxcloud:5.0.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxcloud:4.4.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxcloud:4.4.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxcloud:4.4.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxcloud:4.4.5:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSandbox Cloud","vendor":"Fortinet","versions":[{"lessThanOrEqual":"5.0.1","status":"affected","version":"5.0.0","versionType":"semver"},{"lessThanOrEqual":"4.4.8","status":"affected","version":"4.4.5","versionType":"semver"}]},{"cpes":["cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSandbox","vendor":"Fortinet","versions":[{"lessThanOrEqual":"5.0.1","status":"affected","version":"5.0.0","versionType":"semver"},{"lessThanOrEqual":"4.4.8","status":"affected","version":"4.4.0","versionType":"semver"},{"lessThanOrEqual":"4.2.8","status":"affected","version":"4.2.1","versionType":"semver"}]},{"cpes":["cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:5.0.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:4.4.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:4.4.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:4.4.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandboxpaas:4.4.5:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSandbox PaaS","vendor":"Fortinet","versions":[{"status":"affected","version":"23.4.4374"},{"status":"affected","version":"23.4.4350"},{"status":"affected","version":"23.3.4329"},{"status":"affected","version":"23.1.4245"},{"status":"affected","version":"22.2.4151"},{"status":"affected","version":"22.2.4134"},{"status":"affected","version":"22.1.4113"},{"status":"affected","version":"21.4.4072"},{"status":"affected","version":"21.3.4055"},{"lessThanOrEqual":"5.0.1","status":"affected","version":"5.0.0","versionType":"semver"},{"lessThanOrEqual":"4.4.8","status":"affected","version":"4.4.5","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"Execute unauthorized code or commands","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T16:54:04.923Z","orgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","shortName":"fortinet"},"references":[{"name":"https://fortiguard.fortinet.com/psirt/FG-IR-26-136","url":"https://fortiguard.fortinet.com/psirt/FG-IR-26-136"}],"solutions":[{"lang":"en","value":"Fortinet remediated this issue in FortiSandbox Cloud version 5.0.2 and hence customers do not need to perform any action.\nFortinet remediated this issue in FortiSandbox Cloud version 4.4.9 and hence customers do not need to perform any action.\nUpgrade to FortiSandbox version 5.0.2 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.2 or above\nUpgrade to FortiSandbox PaaS version 4.4.9 or above"}]}},"cveMetadata":{"assignerOrgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","assignerShortName":"fortinet","cveId":"CVE-2026-26083","datePublished":"2026-05-12T16:54:04.923Z","dateReserved":"2026-02-11T09:32:22.258Z","dateUpdated":"2026-05-12T16:54:04.923Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-12 18:16:39","lastModifiedDate":"2026-05-12 18:57:02","problem_types":["CWE-862","CWE-862 Execute unauthorized code or commands"],"metrics":{"cvssMetricV31":[{"source":"psirt@fortinet.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26083","Ordinal":"1","Title":"CVE-2026-26083","CVE":"CVE-2026-26083","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26083","Ordinal":"1","NoteData":"A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.","Type":"Description","Title":"CVE-2026-26083"}]}}}