CVE-2026-13020
Received Received - Intake

Weak Password Recovery Mechanism in Esri Portal for ArcGIS

Vulnerability report for CVE-2026-13020, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Environmental Systems Research Institute, Inc.

Description

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
esri portal_for_arcgis to 12.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Weak Password Recovery Mechanism in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux, and Kubernetes. It allows a remote, unauthorized attacker to take over a user's account by exploiting the password recovery process.

Impact Analysis

The vulnerability can lead to an attacker assuming ownership of a user's account remotely without authorization. This can result in unauthorized access to sensitive information and potentially full control over the affected user's account.

Mitigation Strategies

To mitigate this vulnerability, ArcGIS Administrators should configure an email server with ArcGIS Enterprise to enable user self-service password recovery.

Note that the ability for an administrator to reset a user's password remains unchanged.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart