CVE-2026-33518

CRITICAL

Incorrect privilege assignment in Portal for ArcGIS

Title source: cna

Description

An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.

References (1)

Core 1

Core References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

Scores

CVSS v3 9.8

EPSS 0.0029

EPSS Percentile 21.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-266

Status published

Products (2)

Esri/Portal for ArcGIS 11.5

esri/portal_for_arcgis 11.5

Published Apr 21, 2026

Tracked Since Apr 22, 2026