Privilege escalation in Esri Portal For Arcgis
CVE-2026-33518
An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
EPSS: 0.001 (18.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Esri Portal For Arcgis — versions 11.5
- Esri Portal_for_arcgis — versions 11.5
- Linux Linux_kernel
- Microsoft Windows
Weakness classification (CWE)
References
- psirt@esri.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2026-33518?
- CVE-2026-33518 is a critical-severity vulnerability in Esri Portal For Arcgis, classified under Incorrect Privilege Assignment. CVSS score: 9.8/10. Published 2026-04-21.
- How severe is CVE-2026-33518?
- Critical severity. CVSS v3 base score is 9.8 out of 10.