What is the CVSS score of CVE-2026-26083?

CVE-2026-26083 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Fortinet FortiSandbox are affected by CVE-2026-26083?

FortiSandbox 4.4.x through 5.0.x contains a critical remote code execution vulnerability (CVSS 9.8) that allows unauthenticated attackers to execute arbitrary commands through missing authorization…

Fortinet FortiSandbox CVE-2026-26083

EUVD-2026-29550 CRITICAL

Missing Authorization (CWE-862)

2026-05-12 fortinet

GHSA-5cw8-3wjv-7mvq

Authentication Bypass Fortinet

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

May 12, 2026 - 18:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 12, 2026 - 18:22 vuln.today

cvss_changed

CVSS changed

May 12, 2026 - 18:22 NVD

9.1 (CRITICAL) 9.8 (CRITICAL)

Analysis Generated

May 12, 2026 - 18:00 vuln.today

CVE Published

May 12, 2026 - 16:54 nvd

CRITICAL 9.1

DescriptionNVD

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

AnalysisAI

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. …

RemediationAI

Within 24 hours: Identify and inventory all FortiSandbox deployments (versions 4.4.x-5.0.x) across on-premises, Cloud, and PaaS environments; isolate affected instances from production networks if operationally feasible. Within 7 days: Contact Fortinet support for patched version availability and timeline; review Fortinet advisory FG-IR-136 for interim mitigations; implement network segmentation to restrict HTTP access to FortiSandbox to trusted analyst networks only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-26083 vulnerability details – vuln.today

Back

Fortinet FortiSandbox CVE-2026-26083

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code