CVE-2026-33519 - Vulnerability Details - OpenCVE

An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Esri	Portal For Arcgis

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Esri	Portal For Arcgis

References

Link	Providers
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

History

Wed, 22 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Esri Esri portal For Arcgis
Vendors & Products		Esri Esri portal For Arcgis

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.
Title		Incorrect privilege assignment in Portal for ArcGIS
Weaknesses		CWE-266
References		https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2026-04-21T20:38:28.573Z

Updated: 2026-04-21T20:38:28.573Z

Reserved: 2026-03-20T17:25:24.410Z

Link: CVE-2026-33519

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:29.673

Modified: 2026-04-21T21:16:29.673

Link: CVE-2026-33519

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33519", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2026-03-20T17:25:24.410Z", "datePublished": "2026-04-21T20:38:28.573Z", "dateUpdated": "2026-04-21T20:38:28.573Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux", "Kubernetes"], "product": "Portal for ArcGIS", "vendor": "Esri", "versions": [{"status": "affected", "version": "11.4"}, {"status": "affected", "version": "11.5"}, {"status": "affected", "version": "12.0"}]}], "datePublic": "2026-04-20T20:38:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: oklch(1 0 0);\">An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. \n\n</span>"}], "value": "An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment (4.19.1)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-04-21T20:38:28.573Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "source": {"defect": ["BUG-000182353 \u2013 Portal for ArcGIS has a security vulnerability"], "discovery": "UNKNOWN"}, "title": "Incorrect privilege assignment in Portal for ArcGIS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"affected": [{"configurations": [{"platform": ["windows", "linux", "kubernetes"], "status": "affected", "versions": {"scheme": "generic", "value": "11.4"}}, {"platform": ["windows", "linux", "kubernetes"], "status": "affected", "versions": {"scheme": "generic", "value": "11.5"}}, {"platform": ["windows", "linux", "kubernetes"], "status": "affected", "versions": {"scheme": "generic", "value": "12.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Portal for ArcGIS", "source": "cna", "vendor": "Esri"}, "product": "portal_for_arcgis", "vendor": "esri"}], "analysis": {"en": {"generated_at": "2026-04-22T02:13:48.059755+00:00", "value": {"mitigation_remediation": ["Install Esri\u2019s latest Portal for ArcGIS patch or upgrade to a version that resolves the privilege assignment bug.", "Revoke or reduce permissions for developer accounts and delete any unused or default developer credentials.", "Enable multi\u2011factor authentication for developer accounts and enforce the least privilege model for all personnel."], "summary": {"action": "Patch", "impact": "Unauthorized privilege escalation due to improper permission checks on developer accounts"}, "threat_synthesis": {"affected_systems": "Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0 running on Windows, Linux, or Kubernetes are affected, regardless of deployment platform.", "description_and_impact": "An incorrect authorization vulnerability in Esri Portal for ArcGIS fails to validate permissions assigned to developer credentials, allowing attackers to gain higher levels of access than intended. The flaw is a classic example of improper privilege management (CWE\u2011266). An attacker who compromises or abuses a developer credential can elevate privileges within the portal, increasing the risk of data exposure or service disruption.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high severity vulnerability. While an EPSS score is not available, the lack of listing in the CISA KEV catalog suggests no known widespread exploitation yet, but the flaw remains exploitable under normal conditions. The likely attack vector involves misuse of developer credentials that bypass the portal\u2019s permission checks, potentially enabling an attacker to gain full administrative control over the portal instance."}}}}, "created": "2026-04-22T02:00:04.889368+00:00", "updated": "2026-04-22T02:15:05.405824+00:00", "vendors": ["esri", "esri$PRODUCT$portal_for_arcgis"]}