PSIRT Incorrect global authorization Summary A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. Version Affected Solution FortiSandbox 5.0 5.0.0 through 5.0.1 Upgrade to 5.0.2 or above FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above FortiSandbox Cloud 24 All versions Migrate to a fixed release FortiSandbox Cloud 23 All versions Migrate to a fixed release FortiSandbox Cloud 5.0 5.0.2 through 5.0.5 Upgrade to 5.0.6 or above FortiSandbox PaaS 23.4 23.4 all versions Migrate to a fixed release FortiSandbox PaaS 23.3 23.3 all versions Migrate to a fixed release FortiSandbox PaaS 23.1 23.1 all versions Migrate to a fixed release FortiSandbox PaaS 22.2 22.2 all versions Migrate to a fixed release FortiSandbox PaaS 22.1 22.1 all versions Migrate to a fixed release FortiSandbox PaaS 21.4 21.4 all versions Migrate to a fixed release FortiSandbox PaaS 21.3 21.3 all versions Migrate to a fixed release FortiSandbox PaaS 5.0 5.0.0 through 5.0.1 Upgrade to 5.0.2 or above FortiSandbox PaaS 4.4 4.4.5 through 4.4.8 Upgrade to 4.4.9 or above Acknowledgement Internally discovered and reported by Adham El karn of Fortinet Product Security team. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-136 Published Date May 12, 2026 Component GUI Severity Critical Discovered Internal Attack Type Unauthenticated Known Exploited No CVSSv3 Score 9.1 Impact Execute unauthorized code or commands CVE ID CVE-2026-26083 Download CVRF CSAF