Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (fortinet) · only source for this CVE.
CVSS VectorVendor: fortinet
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.
AnalysisAI
Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.
Technical ContextAI
FortiSandbox is Fortinet's malware analysis and threat intelligence platform used to detonate suspicious files in isolated environments. This vulnerability stems from CWE-862 (Missing Authorization), meaning certain HTTP endpoints fail to verify caller permissions before executing privileged operations. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates the flaw exists in network-accessible services with no authentication checks, likely in the web management interface or API layer. The affected CPE strings cover three distinct deployment models: cpe:2.3:a:fortinet:fortisandbox (on-premises appliances), cpe:2.3:a:fortinet:fortisandbox_cloud (cloud-hosted instances), and cpe:2.3:a:fortinet:fortisandbox_paas (platform-as-a-service). The breadth of affected versions (spanning releases from 21.3 through 5.0.5 depending on deployment model) suggests the authorization gap exists in core HTTP request handling code shared across all FortiSandbox variants.
RemediationAI
Apply vendor-released patches per Fortinet advisory FG-IR-26-136 at https://fortiguard.fortinet.com/psirt/FG-IR-26-136 which should specify fixed versions for each deployment model (specific patch versions not independently confirmed from available data). Until patching is complete, implement compensating controls: restrict HTTP/HTTPS access to FortiSandbox management interfaces to trusted administrative networks only via firewall rules or ACLs (blocks remote unauthenticated access vector); disable external access to Cloud/PaaS management APIs if not operationally required; monitor HTTP access logs for unusual POST/PUT requests to administrative endpoints; deploy network-based intrusion prevention signatures if available from Fortinet for this CVE. Note that access restrictions may impact legitimate remote administration workflows and require VPN or jump host access. For PaaS deployments, coordinate remediation timeline with Fortinet as patching may be vendor-managed.
More in Fortisandbox Cloud
View allUnauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attac
Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve
Authenticated OS command injection in Fortinet FortiSandbox (versions 5.0.0-5.0.2, 4.4.0-4.4.7, all 4.2.x, all 4.0.x) an
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29550
GHSA-5cw8-3wjv-7mvq