CVE-2026-26083 CRITICAL

CVE-2026-26083

Vendor Fortinet
Product FortiSandbox Cloud
Weakness CWE-862 · Missing authorization
Published May 12, 2026
Last update May 13, 2026
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

What the vulnerability does

01Description

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-66124 WordPress Leaky Paywall plugin <= 4.22.6 - Broken Access Control vulnerability CVE-2022-36068 Discourse moderators can edit themes via the API CVE-2025-13386 Social Images Widget <= 2.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion CVE-2024-33912 WordPress Academy LMS plugin <= 1.9.16 - Broken Access Control on Paid Courses vulnerability CVE-2025-68072 WordPress Easy Property Listings plugin <= 3.5.20 - Broken Access Control vulnerability