PSIRTIncorrect global authorization
Summary
A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.
| Version | Affected | Solution |
|---|---|---|
| FortiSandbox 5.0 | 5.0.0 through 5.0.1 | Upgrade to 5.0.2 or above |
| FortiSandbox 4.4 | 4.4.0 through 4.4.8 | Upgrade to 4.4.9 or above |
| FortiSandbox Cloud 24 | All versions | Migrate to a fixed release |
| FortiSandbox Cloud 23 | All versions | Migrate to a fixed release |
| FortiSandbox Cloud 5.0 | 5.0.2 through 5.0.5 | Upgrade to 5.0.6 or above |
| FortiSandbox PaaS 23.4 | 23.4 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 23.3 | 23.3 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 23.1 | 23.1 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 22.2 | 22.2 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 22.1 | 22.1 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 21.4 | 21.4 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 21.3 | 21.3 all versions | Migrate to a fixed release |
| FortiSandbox PaaS 5.0 | 5.0.0 through 5.0.1 | Upgrade to 5.0.2 or above |
| FortiSandbox PaaS 4.4 | 4.4.5 through 4.4.8 | Upgrade to 4.4.9 or above |
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.Timeline
2026-05-12: Initial publication