Fortinet Patch Tuesday – May 2026

Overview

Fortinet published 11 advisories on Patch Tuesday describing as many bugs, including two dealing with critical-severity code execution security defects. While the company did not tag these two security flaws as being exploited in the wild, Fortinet vulnerabilities are frequently exploited in ransomware and cyber-espionage attacks, often as zero-days.

Fortinet flaws, both zero-day and n-day, have been exploited in the wild many times in the past, so companies should deploy patches as soon as possible.

Critical Severity

CVE-2026-44277 — FortiAuthenticator Improper Access Control | CVSS: 9.1 | Critical

Tracked as CVE-2026-44277, this is an improper access control issue in FortiAuthenticator that could be exploited remotely, without authentication, via crafted requests.

An improper access control vulnerability in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

FortiAuthenticator serves as the central hub for RADIUS, LDAP, and SAML authentication, integrating with Active Directory and supporting single sign-on and multi-factor authentication. An unauthenticated attacker gaining code execution on this platform has a direct path to intercepting authentication flows, stealing session tokens, and undermining MFA enforcement across the entire environment.

FortiAuthenticator Cloud is not impacted by the issue, and hence customers do not need to perform any action on the cloud variant.

Remediation: Upgrade to FortiAuthenticator 6.5.7, 6.6.9, or 8.0.3 depending on the release currently in use.

CVE-2026-26083 — FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS Missing Authorization
CVSS: 9.1 | Critical

CVE-2026-26083 is a missing authorization weakness affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. Remote, unauthenticated attackers could send crafted HTTP requests to the vulnerable appliances to achieve code or command execution.

This GUI-accessible vulnerability requires no authentication, meaning a remote attacker could potentially access restricted functionality or sensitive sandbox analysis data without any credentials.

Affected versions include FortiSandbox 5.0 and 4.4, FortiSandbox Cloud 24, 23, and 5.0, and FortiSandbox PaaS versions spanning 22.1 through 23.4.

The risk profile here is elevated — FortiSandbox sits at the heart of malware analysis and threat detection workflows. An attacker achieving unauthenticated code execution on a sandbox platform can poison analysis results, suppress detections, or pivot deeper into the security infrastructure.

Remediation: Apply Fortinet’s patches per PSIRT advisory FG-IR-26-136. Prioritize internet-facing FortiSandbox deployments immediately.

High Severity

CVE-2025-53844 — FortiOS CAPWAP Daemon Out-of-Bounds Write| High

CVE-2025-53844 is an out-of-bounds write vulnerability residing in the CAPWAP daemon within FortiOS, affecting FortiOS 7.2, 7.4, and 7.6. This flaw could allow an attacker with control over an access point endpoint to send malformed CAPWAP traffic and potentially crash or compromise the FortiOS process.

The attacker needs to control an authenticated FortiAP, FortiExtender, or FortiSwitch to exploit this. Organizations with Fortinet wireless infrastructure should treat this as a priority patch.

Remediation: Apply per Fortinet PSIRT advisory FG-IR-26-123.

CVE-2026-22828 — FortiAnalyzer Cloud Access Control
CVSS: 7.3 | High

Fortinet has released a security update for FortiAnalyzer Cloud addressing CVE-2026-22828. This vulnerability affects access control mechanisms within the platform, which is widely used for centralized logging, analytics, and security monitoring. If exploited, it could allow unauthorized actions within the environment, potentially weakening visibility and control over network security events.

Remediation: Apply per Fortinet PSIRT guidance for FortiAnalyzer Cloud.

Medium and Low Severity

The FortiMail SQL injection and FortiNDR user-controlled SQL commands deserve attention beyond their CVSS scores — both sit in high-value telemetry and detection infrastructure.

Context — FortiClientEMS Exploitation Pattern

In February, Fortinet addressed a critical vulnerability, CVE-2026-21643, in the FortiClient Enterprise Management Server platform, which threat intelligence company Defused flagged as actively exploited one month later. More recently, CISA ordered federal agencies in early April to secure FortiClient EMS instances against an actively exploited authentication bypass flaw, CVE-2026-35616.

The pattern is consistent — Fortinet patches land, exploitation follows. This month’s critical flaws, particularly in FortiAuthenticator and FortiSandbox, should be treated with the same urgency as CISA-KEV-listed vulnerabilities.

Detection & Response

• Monitor FortiAuthenticator logs for unauthenticated API request anomalies to RADIUS/SAML/LDAP endpoints
• Review FortiSandbox web UI access logs for unexpected unauthenticated sessions or unauthorized HTTP requests
• Alert on CAPWAP daemon crashes or unexpected FortiOS process restarts
• Audit FortiClientWindows deployments for VPN saved password exposure given hardcoded key flaw (CVE-2026-44278)
• Restrict CLI access to FortiAP devices to trusted admin sessions only

Recommended Actions

1. Immediately patch CVE-2026-44277 (FortiAuthenticator) and CVE-2026-26083 (FortiSandbox) — CVSS 9.1, unauthenticated RCE, no exploitation evidence yet but history says that window is short
2. Patch FortiOS for CVE-2025-53844 across all wireless-connected FortiGate deployments
3. Address FortiAnalyzer Cloud CVE-2026-22828 — visibility platform compromise is a blind-spot attack
4. Schedule medium-severity patches for FortiMail, FortiAP, FortiAnalyzer, FortiManager, and FortiNDR in the next maintenance window
5. Rotate VPN credentials on all FortiClientWindows deployments — the hardcoded encryption key flaw may have already exposed saved passwords