CVE-2026-26083 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-26083 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-26083 is a missing authorization vulnerability affecting multiple versions of Fortinet FortiSandbox on-premises appliances, FortiSandbox Cloud, and FortiSandbox PaaS deployments, spanning a wide range of release branches from version 21.3 through current 5.0.x releases.

Technical Detail

The flaw stems from absent or improperly enforced authorization checks on one or more API endpoints or functional components within FortiSandbox, allowing an unauthenticated or low-privileged remote attacker to access protected resources or perform restricted operations without valid credentials or appropriate permissions. The precise attack vector is consistent with unauthenticated remote access scenarios common to missing authorization classes, where an attacker sends crafted requests to bypass access controls entirely. Depending on the exposed functionality, successful exploitation could result in unauthorized data access, configuration manipulation, or further lateral movement within environments where FortiSandbox is integrated with other security controls.

Exploitation Status

A proof-of-concept exploit is publicly available for this vulnerability. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been formally confirmed by CISA as of the date of this briefing. However, the availability of a PoC combined with the critical CVSS score of 9.8 significantly lowers the barrier for exploitation and increases the likelihood of active attempts in the near term.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Fortinet products have historically been targeted by nation-state actors and ransomware operators, particularly those focused on network security infrastructure, but no campaign or actor has been formally linked to exploitation of this specific vulnerability as of May 13, 2026.

What To Do

Organizations running affected FortiSandbox versions should treat this as a high-priority patch given the critical severity rating and PoC availability. Fortinet customers should upgrade FortiSandbox on-premises deployments to versions beyond 5.0.1 or 4.4.8 as fixed releases become available, and should verify with Fortinet's advisory for confirmed patched versions across all affected PaaS branches. As an interim measure, restrict network access to FortiSandbox management interfaces using firewall rules or access control lists to limit exposure to trusted administrative hosts only. Organizations using FortiSandbox Cloud or PaaS variants should contact Fortinet support to confirm whether vendor-side patches have been applied. Monitor FortiSandbox logs for anomalous unauthenticated or unexpected API requests as a detection signal while patches are being deployed.