Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in Fortinet FortiAuthenticator and FortiSandbox

15 May 2026

Fortinet has released security updates to address critical vulnerabilities in FortiAuthenticator and FortiSandbox. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

Fortinet has released security updates to address an improper access control vulnerability (CVE-2026-44277) affecting FortiAuthenticator, and a missing authorisation vulnerability (CVE-2026-26083) affecting FortiSandbox in their monthly advisory. 

Both vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 and 9.1 out of 10 respectively.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-44277: Due to improper access control in FortiAuthenticator, an unauthenticated attacker could execute unauthorised code or commands via crafted requests.

  • CVE-2026-26083: Due to missing authorisation in the FortiSandbox Web UI, an unauthenticated attacker could execute unauthorised code or commands via HTTP requests.

Affected Products

These vulnerabilities affect the following Fortinet products and versions:

For CVE-2026-44277 (FortiAuthenticator):

  • FortiAuthenticator 8.0: versions 8.0.0 and 8.0.2

  • FortiAuthenticator 6.6: versions 6.6.0 through 6.6.8

  • FortiAuthenticator 6.5: versions 6.5.0 through 6.5.6

For CVE-2026-26083 (FortiSandbox):

  • FortiSandbox 5.0: versions 5.0.0 through 5.0.1

  • FortiSandbox 4.4: versions 4.4.0 through 4.4.8

  • FortiSandbox Cloud 24: all versions

  • FortiSandbox Cloud 23: all versions

  • FortiSandbox Cloud 5.0: versions 5.0.2 through 5.0.5

  • FortiSandbox PaaS 23.4: all versions

  • FortiSandbox PaaS 23.3: all versions

  • FortiSandbox PaaS 23.1: all versions

  • FortiSandbox PaaS 22.2: all versions

  • FortiSandbox PaaS 22.1: all versions

  • FortiSandbox PaaS 21.4: all versions

  • FortiSandbox PaaS 21.3: all versions

  • FortiSandbox PaaS 5.0: versions 5.0.0 through 5.0.1

  • FortiSandbox PaaS 4.4: versions 4.4.5 through 4.4.8

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-128

https://fortiguard.fortinet.com/psirt/FG-IR-26-136

https://nvd.nist.gov/vuln/detail/CVE-2026-44277

https://nvd.nist.gov/vuln/detail/CVE-2026-26083

http://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/

Back to top