{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33519", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2026-03-20T17:25:24.410Z", "datePublished": "2026-04-21T20:38:28.573Z", "dateUpdated": "2026-04-23T03:56:07.946Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux", "Kubernetes"], "product": "Portal for ArcGIS", "vendor": "Esri", "versions": [{"status": "affected", "version": "11.4"}, {"status": "affected", "version": "11.5"}, {"status": "affected", "version": "12.0"}]}], "datePublic": "2026-04-20T20:38:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: oklch(1 0 0);\">An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. \n\n</span>"}], "value": "An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment (4.19.1)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-04-21T20:38:28.573Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "source": {"defect": ["BUG-000182353 \u2013 Portal for ArcGIS has a security vulnerability"], "discovery": "UNKNOWN"}, "title": "Incorrect privilege assignment in Portal for ArcGIS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33519"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T03:56:07.946Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33519", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T17:19:14.970801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:19:23.439Z"}}], "cna": {"title": "Incorrect privilege assignment in Portal for ArcGIS", "source": {"defect": ["BUG-000182353 \u2013 Portal for ArcGIS has a security vulnerability"], "discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Esri", "product": "Portal for ArcGIS", "versions": [{"status": "affected", "version": "11.4"}, {"status": "affected", "version": "11.5"}, {"status": "affected", "version": "12.0"}], "platforms": ["Windows", "Linux", "Kubernetes"], "defaultStatus": "unaffected"}], "datePublic": "2026-04-20T20:38:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: oklch(1 0 0);\">An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. \n\n</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment (4.19.1)"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-04-21T20:38:28.573Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33519", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:19:29.528Z", "dateReserved": "2026-03-20T17:25:24.410Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2026-04-21T20:38:28.573Z", "assignerShortName": "Esri"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*", "matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.5:-:*:*:*:*:*:*", "matchCriteriaId": "595870AC-22E7-48D3-9C49-3917F9FC36F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:esri:portal_for_arcgis:12.0:-:*:*:*:*:*:*", "matchCriteriaId": "233E1A80-7F7D-44B3-A4A2-FA351741118A", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*", "matchCriteriaId": "14C32308-314D-4E0D-B15F-6A68DF21E9F9", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials."}], "id": "CVE-2026-33519", "lastModified": "2026-05-18T18:19:36.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@esri.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:29.673", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "psirt@esri.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "linux", "kubernetes"], "status": "affected", "versions": {"scheme": "generic", "value": "11.4"}}, {"platform": ["windows", "linux", "kubernetes"], "status": "affected", "versions": {"scheme": "generic", "value": "11.5"}}, {"platform": ["windows", "linux", "kubernetes"], "status": "affected", "versions": {"scheme": "generic", "value": "12.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Portal for ArcGIS", "source": "cna", "vendor": "Esri"}, "product": "portal_for_arcgis", "vendor": "esri"}], "analysis": {"en": {"generated_at": "2026-04-22T04:39:31.462464+00:00", "value": {"mitigation_remediation": ["Install Esri\u2019s latest Portal for ArcGIS patch or upgrade to a version that resolves the privilege assignment bug.", "Revoke or reduce permissions for developer accounts and delete any unused or default developer credentials.", "Enable multi\u2011factor authentication for developer accounts and enforce the least privilege model for all personnel."], "summary": {"action": "Patch", "impact": "Unauthorized privilege escalation due to improper permission checks on developer accounts"}, "threat_synthesis": {"affected_systems": "Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0 running on Windows, Linux, or Kubernetes are affected, regardless of deployment platform.", "description_and_impact": "An incorrect authorization vulnerability in Esri Portal for ArcGIS fails to validate permissions assigned to developer credentials, allowing attackers to gain higher levels of access than intended. The flaw is a classic example of improper privilege management (CWE\u2011266). An attacker who compromises or abuses a developer credential can elevate privileges within the portal, increasing the risk of data exposure or service disruption.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high severity vulnerability. While an EPSS score is not available, the lack of listing in the CISA KEV catalog suggests no known widespread exploitation yet, but the flaw remains exploitable under normal conditions. The likely attack vector involves misuse of developer credentials that bypass the portal\u2019s permission checks, potentially enabling an attacker to gain full administrative control over the portal instance."}}}}, "created": "2026-04-22T02:00:04.889368+00:00", "updated": "2026-04-22T04:45:09.351235+00:00", "vendors": ["esri", "esri$PRODUCT$portal_for_arcgis"]}