External risk intelligence

Esri Portal for ArcGIS Missing Authentication Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-13019

Esri Portal for ArcGIS is commonly deployed as a web-based geographic information system portal or API gateway intended for network access. As an enterprise portal, it frequently functions as an internet-facing service or an externally reachable management surface, making its API endpoints commonly accessible in real-world deployment patterns.

Esri Portal For Arcgis

12.1 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Esri Portal for ArcGIS, affecting versions prior to 12.1. This issue involves a missing authentication for a critical function, potentially allowing unauthenticated remote attackers to access an unprotected API. Given the common use of ArcGIS Portal as an internet-facing service and its role as a geographic information system portal or API gateway, this vulnerability could have significant implications for data access and system integrity. The main concern at this stage is confirming the relevance and exposure of this technology within our environment.

  • Unprotected API access in ArcGIS Portal.
  • Critical function lacks authentication.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could reach a critical function within Esri Portal for ArcGIS by interacting with an unprotected API over the network. This exposure allows an attacker to bypass authentication mechanisms. Successful exploitation could lead to significant compromise of the system's confidentiality, integrity, and availability.

  • Entry condition: Network access to the portal.
  • Trigger point: Unprotected API endpoint.
  • Resulting risk: Data theft, modification, or denial of service.

Live Threat

Current exploitation, exposure, and threat context

A missing authentication vulnerability in Esri Portal for ArcGIS could allow a remote, unauthenticated attacker to access an unprotected API. This exposure could affect the integrity and availability of the portal's services and the data it manages.

  • System data and service integrity.
  • Unauthenticated API access.
  • Potential disruption of services.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Esri Portal for ArcGIS could allow unauthenticated attackers to access sensitive API functions, impacting organizations relying on its geographic information system capabilities. The first practical move is to identify all instances of affected software, confirm their network exposure and business criticality, and assign ownership for remediation. This coordinated effort will prioritize response based on potential impact.

  • Assign ownership to the GIS or platform team.
  • Verify network exposure and asset criticality.
  • Plan remediation during the next maintenance window.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Esri Portal for ArcGIS?

It is a central component of the ArcGIS ecosystem used to manage, share, and distribute geographic data and web maps within an organization. It functions as a web-based portal or API gateway, allowing users to interact with spatial information and analytical tools across various platforms, including Windows, Linux, and Kubernetes environments.

What does this CVE-2026-13019 vulnerability mean?

This vulnerability is classified as CWE-640, or missing authentication for a critical function. In plain terms, it means a specific part of the software's API does not check if a user is who they say they are before performing a task. Because this check is absent, the system treats unauthenticated requests as if they were legitimate, potentially granting unauthorized access to the portal's core functions.

How is this vulnerability triggered?

An attacker triggers this issue by sending network requests to the specific, unprotected API endpoint within the portal. The bug does not require any credentials or special access rights to initiate. It is important to note that actions performed through protected or authenticated API endpoints are not affected by this specific flaw.

Is my ArcGIS Portal at risk?

Your risk depends on your deployment, as Halo Surface Signal notes that this software is frequently configured as an internet-facing service or an externally reachable gateway. If your portal is accessible from outside your internal network, it is a higher priority for review. Even internal instances should be assessed to ensure they are managed and monitored effectively.

How should I respond to this vulnerability?

Begin by creating an inventory of all ArcGIS Portal instances to identify those running version 12.1 or earlier. Coordinate with the platform or GIS teams to confirm which instances are accessible over the network and evaluate their business criticality. Once mapped, verify if these systems are slated for updates and assign clear ownership for the upcoming remediation tasks.

References