CVE-2026-33518
Esri · Portal for ArcGIS
Esri Portal for ArcGIS 11.5 contains an incorrect privilege assignment vulnerability allowing highly privileged users to escalate developer credentials beyond intended limits.
Executive summary
A critical privilege assignment vulnerability in Esri Portal for ArcGIS 11.5 allows authorized users to escalate their permissions, posing a significant risk to system integrity.
Vulnerability
This is an incorrect privilege assignment vulnerability where highly privileged users can create developer credentials that grant excessive access rights, exceeding their authorized scope.
Business impact
The ability for privileged users to grant themselves unauthorized elevated permissions creates a substantial risk of data compromise and unauthorized administrative control. With a CVSS score of 9.8, this flaw represents a critical threat to the security posture of the organization, potentially leading to unauthorized access to sensitive geospatial data and infrastructure management.
Remediation
Immediate Action: Consult the official Esri security advisory for the latest security patches or configuration hardening steps to restrict developer credential creation.
Proactive Monitoring: Review access logs for the creation of new developer credentials and audit the privilege levels assigned to existing administrative accounts.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) and limit the number of users with administrative or developer-level permissions within the Portal.
Exploitation status
Public Exploit Available: None
Analyst recommendation
Given the critical nature of this privilege assignment issue, administrators should prioritize auditing current portal accounts and applying vendor-supplied updates immediately. Limiting the scope of highly privileged accounts is essential to preventing potential abuse of this vulnerability.