🚨 BREAKING

Fortinet FortiSandbox Critical RCE: Unauthenticated Attackers Can Execute Commands

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-862
Fortinet FortiSandbox Critical RCE: Unauthenticated Attackers Can Execute Commands

A critical missing authorization vulnerability, tracked as CVE-2026-26083, has been identified in multiple Fortinet FortiSandbox and FortiSandbox PaaS versions. According to the National Vulnerability Database, this flaw allows an unauthenticated attacker to execute arbitrary code or commands through crafted HTTP requests. The severity is rated 9.8 CVSS, indicating extreme risk.

This isn’t a theoretical risk; it’s a direct path for unauthenticated attackers to gain control. The vulnerability spans FortiSandbox 5.0.0 through 5.0.1, 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, and numerous FortiSandbox PaaS iterations from versions 21.3 up to 23.4. The scope of affected products is broad, impacting both on-premise and cloud deployments.

The attacker’s calculus here is simple: find an exposed FortiSandbox instance, send a malicious HTTP request, and gain remote code execution. This bypasses authentication entirely, making it a prime target for initial access. Defenders must prioritize patching and ensure these critical security tools aren’t becoming an entry point themselves.

What This Means For You

  • If your organization uses Fortinet FortiSandbox or FortiSandbox PaaS, you need to immediately identify all instances running the affected versions. Patching for CVE-2026-26083 is not optional; it's a critical security imperative to prevent unauthenticated remote code execution. Audit network access to these devices and ensure they are not directly exposed to the internet.

Indicators of Compromise

IDTypeIndicator
CVE-2026-26083 Auth Bypass Fortinet FortiSandbox versions 5.0.0 through 5.0.1
CVE-2026-26083 Auth Bypass Fortinet FortiSandbox versions 4.4.0 through 4.4.8
CVE-2026-26083 Auth Bypass Fortinet FortiSandbox Cloud versions 5.0.2 through 5.0.5
CVE-2026-26083 Auth Bypass Fortinet FortiSandbox PaaS all versions of 23.4, 23.3, 23.1, 22.2, 22.1, 21.4, 21.3
CVE-2026-26083 RCE Unauthenticated code or command execution via HTTP requests in Fortinet FortiSandbox and FortiSandbox PaaS

Written by SCW Vulnerability Desk

🔎
Fortinet FortiSandbox Vulnerability Details Use /latest to get full threat details on CVE-2026-26083 and related advisories.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

MongoDB Ops Manager RCE via Webhook Template Injection (CVE-2026-8431)

CVE-2026-8431 — An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. ...

vulnerabilityCVEhigh-severitycwe-77
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-8430: SPIP RCE Limited to Nginx Configurations

CVE-2026-8430 — SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing...

vulnerabilityCVEhigh-severityremote-code-executioncwe-94
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma

SPIP RCE Vulnerability (CVE-2026-8429) Bypasses Security Protections

CVE-2026-8429 — SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in...

vulnerabilityCVEhigh-severityremote-code-executioncwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 2 IOCs /⚙ 3 Sigma