How severe is CVE-2026-33519?

CVE-2026-33519 is rated critical severity with a CVSS score of 9.8 out of 10.

What products are affected by CVE-2026-33519?

CVE-2026-33519 affects multiple products. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-33519?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Portal for ArcGIS unauth access (CVE-2026-33519)

Patch now - CVE-2026-33519 is a critical incorrect authorization vulnerability in Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0 that grants unauthenticated attackers full access to restricted resources. Apply the security update from Esri immediately, as no workarounds are available.

Overview

Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0 on Windows, Linux, and Kubernetes contain an incorrect authorization vulnerability in developer credentials. An attacker can exploit this flaw to access resources without proper authentication.

Technical Details

The vulnerability (CVSS 9.8) stems from insufficient permission checks on developer credentials. With an attack vector of NETWORK, low complexity, no required privileges, and no user interaction, this represents a critical security gap. An unauthenticated attacker can send crafted requests to bypass authorization controls.

Impact

Successful exploitation grants attackers unauthorized access to Portal for ArcGIS resources and capabilities that should be restricted. This can lead to data exposure, service disruption, or unauthorized configuration changes. Since the vulnerability requires no authentication, any internet-facing instance is at immediate risk.

Affected Versions

Portal for ArcGIS 11.4
Portal for ArcGIS 11.5
Portal for ArcGIS 12.0

Remediation

Esri has released patches for all affected versions. Administrators should:

Update Portal for ArcGIS to the latest patched version immediately
Review access logs for signs of unauthorized activity
Restrict network access to Portal for ArcGIS instances where immediate patching is not possible

Apply the update through Esri’s standard update mechanism or download from the Esri support site. No workarounds exist; patching is the only complete fix.

For context on credential-related attacks, see how Russian CTRL Toolkit Hijacks RDP via Malicious LNK leverages similar authorization gaps. Meanwhile, Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning shows how attackers target credential systems. The Windows 11 KB5079391 update rolls out Smart App Control improvements highlight broader platform security trends.

Security Insight

This vulnerability underscores a recurring pattern in GIS platforms where developer credentials are treated as trusted by default. Esri’s slow response to correct permission checks in consecutive versions (11.4 through 12.0) suggests a systemic oversight in their credential handling architecture. Organizations using Portal for ArcGIS should treat developer accounts as high-value targets and consider additional network segmentation until the vendor improves their authorization framework.

Portal for ArcGIS unauth access (CVE-2026-33519)

Overview

Technical Details

Impact

Affected Versions

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Overview

Technical Details

Impact

Affected Versions

Remediation

Related Threats

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Never Miss a Critical Alert