CVE-2026-33519

Esri · Portal for ArcGIS

An incorrect authorization vulnerability in Esri Portal for ArcGIS 11.4, 11.5, and 12.0 fails to correctly validate permissions assigned to developer credentials.

Executive summary

An authorization flaw in Esri Portal for ArcGIS allows unauthorized access due to improper permission validation for developer credentials, creating a high risk of system compromise.

Vulnerability

The application suffers from incorrect authorization, specifically failing to properly verify the permissions associated with developer-level credentials, which can be leveraged to gain unauthorized access.

Business impact

With a CVSS score of 9.8, this flaw represents a severe risk to organizational data integrity and confidentiality. Successful exploitation could allow attackers to bypass intended access controls, potentially accessing sensitive geospatial data and administrative functions within the ArcGIS environment.

Remediation

Immediate Action: Update the Esri Portal for ArcGIS installation to the latest available version provided by the vendor.

Proactive Monitoring: Audit existing user and developer accounts for unusual activity and review access logs for attempts to access resources outside of assigned permission scopes.

Compensating Controls: Implement the principle of least privilege by auditing and restricting developer credentials until the patch is successfully applied.

Exploitation status

Public Exploit Available: Not specified.

Analyst recommendation

The severity of this vulnerability necessitates immediate attention to patching the affected ArcGIS Portal instances. Organizations must verify their current versioning and apply the necessary updates to ensure that developer credential permissions are correctly enforced and to prevent unauthorized access to the platform.