External risk intelligence

Esri Portal for ArcGIS Weak Password Recovery Allows Account Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-13020

Esri Portal for ArcGIS is commonly deployed as an internet-facing web portal to provide mapping and geospatial services to users. Because the vulnerability involves the password recovery mechanism of a web-based portal, it is commonly accessible to remote users over the internet in standard deployment configurations.

Esri Portal For Arcgis

12.1 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in Esri Portal for ArcGIS allows unauthorized remote attackers to take over user accounts by exploiting a weakness in the forgotten password recovery process. This affects systems running version 12.1 and earlier on Windows, Linux, and Kubernetes. While administrators can still reset passwords, configuring email for self-service recovery is recommended to mitigate this risk.

  • Weak password recovery lets attackers steal accounts.
  • Sensitive geospatial data access is at risk.
  • Confirm relevance and ensure proper configuration.

Attack Path

How an attacker could exploit the issue

An attacker can exploit a flaw in the forgotten password recovery process to take over user accounts. This requires no special access to start, as the vulnerable feature is exposed online. Once an attacker tricks the system into believing they are a legitimate user seeking password recovery, they can manipulate the process to gain control of that user's account.

  • No prior access is needed.
  • Manipulate password recovery feature.
  • Risk of unauthorized account takeover.

Live Threat

Current exploitation, exposure, and threat context

A weak password recovery mechanism in Esri Portal for ArcGIS could allow a remote attacker to take over user accounts. This occurs when the system's email server is not configured for user self-service password resets, potentially exposing user account control to unauthorized individuals.

  • User account access.
  • Manipulating password recovery.
  • Unauthorized account control.

Operational Fix

Recommended remediation, mitigation, and detection steps

ArcGIS Administrators are the primary owners for this vulnerability in Esri Portal for ArcGIS. The first action is to confirm the deployment's reachability and business criticality, then identify the specific administrator responsible and plan remediation based on the identified risk.

  • Confirm administrator ownership.
  • Verify system reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Portal for ArcGIS?

Portal for ArcGIS is a core component of the ArcGIS Enterprise suite. Organizations use it as a centralized, web-based platform to manage, share, and collaborate on geographic information system (GIS) resources, such as maps, data layers, and analytical tools, across their enterprise.

How does CVE-2026-13020 affect account security?

This vulnerability is classified as CWE-640: Weak Password Recovery Mechanism. It means the system's process for verifying identity during a 'forgot password' request is flawed. Because the mechanism does not securely validate the recovery attempt, an attacker can manipulate the process to impersonate a user and gain full control over their account.

Do I need to be logged in to trigger this vulnerability?

No. The vulnerability exists in the publicly accessible password recovery workflow. An attacker does not need any prior authorization or valid credentials to interact with the recovery feature. Conversely, users who do not interact with the 'forgot password' function or environments where this specific recovery path is disabled are not necessarily immune, as the flaw resides in the underlying mechanism itself.

Is my ArcGIS instance at higher risk?

According to Halo Surface Signal, this software is frequently deployed as an internet-facing portal to deliver geospatial services to remote users. If your Portal for ArcGIS instance is accessible via the internet, it is at higher risk because the vulnerable password recovery mechanism is exposed to remote, unauthorized network requests.

What steps should I take if I am running an affected version?

First, verify if your organization has configured an external email server for self-service password recovery in ArcGIS Enterprise. If this is not set up, the default recovery mechanism may be more susceptible to manipulation. Coordinate with your ArcGIS administrator to review your current configuration, assess the exposure of your portal, and prioritize patching based on your deployment's reachability and criticality.

References