What is CVE-2026-33519?

CVE-2026-33519 is a critical-severity vulnerability in Esri Portal For Arcgis, classified under Incorrect Privilege Assignment. CVSS score: 9.8/10. Published 2026-04-21.

How severe is CVE-2026-33519?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Privilege escalation in Esri Portal For Arcgis

CVE-2026-33519

An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

EPSS: 0.001 (20.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Esri Portal For Arcgis — versions 11.4, 11.5, 12.0
Esri Portal_for_arcgis — versions 11.4, 11.5, 12.0
Kubernetes
Linux Linux_kernel
Microsoft Windows

Weakness classification (CWE)

CWE-266 — Incorrect Privilege Assignment

References

psirt@esri.com (Vendor Advisory)

Frequently asked questions

What is CVE-2026-33519?: CVE-2026-33519 is a critical-severity vulnerability in Esri Portal For Arcgis, classified under Incorrect Privilege Assignment. CVSS score: 9.8/10. Published 2026-04-21.
How severe is CVE-2026-33519?: Critical severity. CVSS v3 base score is 9.8 out of 10.