Critical Fortinet FortiSandbox Vulnerability Enables Code Execution Attacks

A critical security flaw in Fortinet’s FortiSandbox platform is putting enterprise networks at serious risk, allowing unauthenticated attackers to execute arbitrary code or commands remotely, with no credentials required.

Fortinet disclosed the vulnerability on May 12, 2026, under the identifier CVE-2026-26083 (FG-IR-26-136), assigning it a CVSSv3 score of 9.1, placing it firmly in the critical severity tier.

The flaw stems from a missing authorization vulnerability in the FortiSandbox Web UI, affecting the on-premises, cloud, and Platform-as-a-Service (PaaS) variants of the product.

Fortinet FortiSandbox Vulnerability

The vulnerability exists in the GUI component of FortiSandbox’s web interface. Because of the missing authorization check, a remote, unauthenticated attacker can craft malicious HTTP requests to trigger unauthorized code or command execution on the underlying system.

With no authentication restriction and no user interaction required, the attack surface is dangerously broad, and the potential impact spans confidentiality, integrity, and availability.

FortiSandbox is widely deployed in enterprise environments as a core malware analysis and threat detection tool. Compromising it doesn’t just expose a single asset; it potentially blinds an organization’s entire threat detection pipeline.

Affected Versions

The vulnerability impacts a wide range of FortiSandbox deployments:

• FortiSandbox 5.0: Versions 5.0.0–5.0.1 — upgrade to 5.0.2 or above
• FortiSandbox 4.4: Versions 4.4.0–4.4.8 — upgrade to 4.4.9 or above
• FortiSandbox Cloud 24 and 23: All versions — migrate to a fixed release
• FortiSandbox Cloud 5.0: Versions 5.0.2–5.0.5 — upgrade to 5.0.6 or above
• FortiSandbox PaaS 5.0: Versions 5.0.0–5.0.1 — upgrade to 5.0.2 or above
• FortiSandbox PaaS 4.4: Versions 4.4.5–4.4.8 — upgrade to 4.4.9 or above
• Multiple legacy FortiSandbox PaaS versions (23.4, 23.3, 23.1, 22.2, 22.1, 21.4, 21.3): All versions affected — migrate to a fixed release immediately

Fortinet internally discovered and reported the flaw through researcher Adham El Karn of the Fortinet Product Security team.

While the vulnerability has not been observed to be exploited in the wild as of publication, its unauthenticated nature and critical CVSS score make it a prime candidate for rapid weaponization.

Security teams are strongly urged to apply the available patches without delay. Organizations running legacy FortiSandbox PaaS versions with no direct upgrade path must prioritize migration to a supported fixed release.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Critical Fortinet FortiSandbox Vulnerability Enables Code Execution Attacks appeared first on Cyber Security News.