CVE-2026-33519
Incorrect Authorization in Esri Portal for ArcGIS Developer Access
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: Environmental Systems Research Institute, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esri | portal_for_arcgis | 11.4 |
| esri | portal_for_arcgis | 11.5 |
| esri | portal_for_arcgis | 12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an incorrect authorization issue found in Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0 across Windows, Linux, and Kubernetes platforms. It occurs because the system does not properly verify the permissions assigned to developer credentials, potentially allowing unauthorized actions.
How can this vulnerability impact me? :
The vulnerability can have a severe impact as it allows unauthorized users to perform actions that should be restricted. Given the high CVSS score of 9.8, it can lead to complete compromise of confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is an incorrect authorization issue in Esri Portal for ArcGIS that fails to properly check permissions for developer credentials, potentially allowing unauthorized access.
Such unauthorized access could lead to exposure or modification of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.
However, specific details on how this vulnerability directly affects compliance with these standards are not provided.