Description
An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
Published: 2026-04-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An incorrect privilege assignment flaw in Esri Portal for ArcGIS 11.5 on Windows and Linux permits a highly privileged user to create developer credentials that carry more permissions than intended. This flaw, classified as CWE-266, enables attackers who already possess elevated privileges to generate credentials that may compromise system integrity or provide unauthorized access to other resources.

Affected Systems

The vulnerability affects Esri Corporation’s Portal for ArcGIS product, specifically version 11.5 running on Windows and Linux operating systems.

Risk and Exploitability

The flaw has a CVSS score of 9.8, indicating an extremely high severity. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to already be a trusted, elevated user within the system; once that condition is met, they can exploit the bug by creating rogue credentials to rotate or elevate access levels. Given the high severity and the need for privileged access, organizations with Esri Portal for ArcGIS deployments should treat this as an urgent exposure.

Generated by OpenCVE AI on April 22, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to Esri Portal for ArcGIS 11.5 that addresses the incorrect privilege assignment issue.
  • Review and harden role‑based access controls to enforce the principle of least privilege, ensuring only authorized administrators can create developer credentials.
  • Audit and monitor credential creation events for anomalous or unauthorized activity, and restrict developer credential use to necessity only.

Generated by OpenCVE AI on April 22, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Esri
Esri portal For Arcgis
Vendors & Products Esri
Esri portal For Arcgis

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
Title Incorrect privilege assignment in Portal for ArcGIS
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Esri Portal For Arcgis
cve-icon MITRE

Status: PUBLISHED

Assigner: Esri

Published:

Updated: 2026-04-22T12:59:55.699Z

Reserved: 2026-03-20T17:25:24.409Z

Link: CVE-2026-33518

cve-icon Vulnrichment

Updated: 2026-04-22T12:59:30.289Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:29.490

Modified: 2026-04-21T21:16:29.490

Link: CVE-2026-33518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:45:09Z

Weaknesses