External risk intelligence

Esri Portal for ArcGIS allows attackers to take control due to stolen developer credentials

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-33519

An internal attacker with valid developer credentials can exploit a flaw in Esri Portal for ArcGIS to bypass permission checks, enabling unauthorized access to private geospatial datasets and sensitive map configurations. This poses a risk of administrative compromise and the exposure of confidential organizational da…

3Halo Surface Signal

Esri Portal For Arcgis

11.411.512.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-33519

Portal for ArcGIS is a web-based platform frequently deployed as an internet-facing application, making public reachability plausible. However, this specific vulnerability targets developer credentials and interfaces, which are often restricted to internal or authorized networks by default or standard configuration, making universal public exposure less common than for public-facing edge services.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An authorization flaw in Esri Portal for ArcGIS allows attackers to bypass permission checks, potentially enabling unauthorized access and modification of data. This is critical because it could lead to significant data compromise or service disruption.

  • Unauthorized access to sensitive information.
  • Could affect systems with developer credentials.
  • Impacts the integrity of geospatial data.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by leveraging unpatched versions of Esri Portal for ArcGIS to gain unauthorized access to sensitive data and administrative functions. This could be achieved by exploiting the incorrect permission checks associated with developer credentials.

  • Attackers need no prior authentication.
  • The vulnerability is in the developer credential permission checks.
  • It impacts Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Esri Portal for ArcGIS, involving incorrect authorization for developer credentials, is notable due to its critical severity. While the vulnerability is accessible over the network and doesn't require user interaction or privileges, its exploitation is likely targeted at organizations using developer features within Portal for ArcGIS. There is no current public information suggesting active exploitation or widespread weaponization.

  • No known exploitation activity.
  • No public exploit code available.
  • Vulnerability published recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment for Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0 due to a critical authorization vulnerability that could allow unauthorized access and control. Assess if these services are exposed externally or accessible by unauthorized parties.

  • Isolate affected services if exposed.
  • Monitor for unusual developer credential activity.
  • Apply vendor patches when available.

Frequently asked questions

What is Esri Portal for ArcGIS?

Esri Portal for ArcGIS is a web-based platform for managing and sharing geospatial data, maps, and applications. It enables organizations to collaborate and make decisions using interactive maps and scenes.

What type of vulnerability is CVE-2026-33519?

CVE-2026-33519 is an incorrect authorization vulnerability (CWE-863) where Esri Portal for ArcGIS fails to properly validate permissions assigned to developer credentials. This allows attackers to bypass authorization controls and potentially gain unauthorized access.

How can an attacker exploit this flaw?

An attacker can exploit this flaw remotely over the network without authentication by crafting requests that bypass permission checks related to developer credentials. This could lead to unauthorized access to sensitive data and administrative functions.

How relevant is CVE-2026-33519 for organizations?

This vulnerability is highly relevant for organizations using Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0, particularly those utilizing developer credentials such as API keys or OAuth 2.0 tokens.

What steps should be taken to address this vulnerability?

Organizations should immediately apply the security patch provided by Esri. Additionally, it is recommended to audit existing developer credentials and their permissions, restrict network access to administrative interfaces, and monitor logs for suspicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified