CVE-2026-13019

Esri · Portal for ArcGIS

Esri Portal for ArcGIS versions 12.1 and earlier contain a missing authentication vulnerability allowing remote, unauthenticated attackers to access an unprotected API.

Executive summary

A critical authentication bypass vulnerability in Esri Portal for ArcGIS allows remote, unauthenticated attackers to gain unauthorized access to sensitive system APIs.

Vulnerability

This is a missing authentication for critical function vulnerability. It allows a remote, unauthenticated attacker to interact with an unprotected API, potentially leading to full system compromise.

Business impact

The vulnerability carries a CVSS score of 9.8, reflecting its critical nature and ease of exploitation. Successful exploitation could lead to unauthorized access to sensitive geographic data, system configuration changes, and potential full administrative control over the ArcGIS environment, resulting in significant data breaches and operational disruption.

Remediation

Immediate Action: Upgrade all instances of Esri Portal for ArcGIS to version 12.1 or the latest available patched release provided by the vendor.

Proactive Monitoring: Review system and API access logs for anomalous requests or unauthorized attempts to access internal API endpoints.

Compensating Controls: Implement strict network access control lists (ACLs) to limit access to the Portal for ArcGIS management interfaces to known, trusted management subnets.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the critical severity and the lack of authentication required for exploitation, this vulnerability poses an immediate risk to infrastructure security. Organizations should prioritize patching their ArcGIS environments immediately to eliminate the risk of unauthorized API access and potential system takeover.