Threat Advisory

ArcGIS Portal Vulnerability Exposes Developer Credentials

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Esri's ArcGIS infrastructure, affecting developer credentials within ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise. The vulnerabilities, which carry a maximum Base CVSS score of 9.8, could allow for the creation of over-scoped credentials and unauthorized access to sensitive GIS infrastructure. This poses a significant business risk, as it could lead to data breaches, unauthorized access, and potential disruption of business operations. The vulnerabilities are related to how developer credentials, such as API keys and OAuth 2.0 tokens, are assigned and checked, highlighting the importance of proper access control and credential management.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Esri's ArcGIS infrastructure, affecting developer credentials within ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise. The vulnerabilities, which carry a maximum Base CVSS score of 9.8, could allow for the creation of over-scoped credentials and unauthorized access to sensitive GIS infrastructure. This poses a significant business risk, as it could lead to data breaches, unauthorized access, and potential disruption of business operations. The vulnerabilities are related to how developer credentials, such as API keys and OAuth 2.0 tokens, are assigned and checked, highlighting the importance of proper access control and credential management.[emaillocker id="1283"]

  • CVE-2026-33518 with a CVSS score of 9.8: This "Incorrect Privilege Assignment" vulnerability exists in Portal for ArcGIS 11.5, allowing highly privileged users to create developer credentials that may grant more privileges than expected. This vulnerability can be exploited by an attacker with high privileges, enabling them to create over-scoped credentials and gain unauthorized access to sensitive resources.
  • CVE-2026-33519 with a CVSS score of 9.8: This "Incorrect Authorization" vulnerability affects Portal for ArcGIS versions 11.4, 11.5, and 12.0, as the system did not correctly check permissions assigned to developer credentials. An attacker with knowledge of this vulnerability can exploit it by submitting credentials with incorrect or missing permissions, leading to unauthorized access and potential data breaches.

The exploitation of these vulnerabilities could have severe consequences for organizations, including unauthorized access to sensitive data, disruption of business operations, and potential financial losses. The urgency of this situation is high, and immediate action is required to patch and remediate the affected systems.

RECOMMENDATION:

  • We recommend you to update ArcGIS Portal for ArcGIS to version 11.6, ArcGIS Enterprise version 11.5, and ArcGIS Enterprise version 12.0 Update 3.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/arcgis-critical-vulnerability-developer-credentials-patch-2026/

[/emaillocker]
crossmenu