CVE-2026-33519

critical

Published 2026-04-21 · Modified 2026-05-18

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.8

Description

An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: psirt@esri.com — https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

OS impact

OS	Version	Status	Fixed in
linux-kernel	-	not-affected

Application impact

Vendor	Product	Versions
esri	portal_for_arcgis	`11.4`
esri	portal_for_arcgis	`11.5`
esri	portal_for_arcgis	`12.0`
kubernetes	kubernetes	`-`

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

CWEs

CWE-266

Verify integrity in audit chain (admin only). AS-IS.