CVE-2026-33518 - Vulnerability Details - OpenCVE

An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Esri	Portal For Arcgis

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Esri	Portal For Arcgis

References

Link	Providers
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

History

Wed, 22 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Esri Esri portal For Arcgis
Vendors & Products		Esri Esri portal For Arcgis

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
Title		Incorrect privilege assignment in Portal for ArcGIS
Weaknesses		CWE-266
References		https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2026-04-21T20:37:52.198Z

Updated: 2026-04-22T12:59:55.699Z

Reserved: 2026-03-20T17:25:24.409Z

Link: CVE-2026-33518

Vulnrichment

Updated: 2026-04-22T12:59:30.289Z

NVD

Status : Received

Published: 2026-04-21T21:16:29.490

Modified: 2026-04-21T21:16:29.490

Link: CVE-2026-33518

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:45:09Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33518", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2026-03-20T17:25:24.409Z", "datePublished": "2026-04-21T20:37:52.198Z", "dateUpdated": "2026-04-22T12:59:55.699Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "Portal for ArcGIS", "vendor": "Esri", "versions": [{"status": "affected", "version": "11.5"}]}], "datePublic": "2026-04-20T20:37:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: oklch(1 0 0);\">An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.</span>"}], "value": "An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment (4.19.1)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-04-21T20:37:52.198Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "source": {"defect": ["BUG-000183038 \u2013 Portal for ArcGIS has a security vulnerability"], "discovery": "UNKNOWN"}, "title": "Incorrect privilege assignment in Portal for ArcGIS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T12:59:14.767845Z", "id": "CVE-2026-33518", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:59:55.699Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33518", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2026-03-20T17:25:24.409Z", "datePublished": "2026-04-21T20:37:52.198Z", "dateUpdated": "2026-04-22T12:59:55.699Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "Portal for ArcGIS", "vendor": "Esri", "versions": [{"status": "affected", "version": "11.5"}]}], "datePublic": "2026-04-20T20:37:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: oklch(1 0 0);\">An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.</span>"}], "value": "An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment (4.19.1)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-04-21T20:37:52.198Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "source": {"defect": ["BUG-000183038 \u2013 Portal for ArcGIS has a security vulnerability"], "discovery": "UNKNOWN"}, "title": "Incorrect privilege assignment in Portal for ArcGIS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T12:59:14.767845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:59:30.289Z"}}]}}

{"affected": [{"configurations": [{"platform": ["windows", "linux"], "status": "affected", "versions": {"scheme": "generic", "value": "11.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Portal for ArcGIS", "source": "cna", "vendor": "Esri"}, "product": "portal_for_arcgis", "vendor": "esri"}], "analysis": {"en": {"generated_at": "2026-04-22T04:39:55.467806+00:00", "value": {"mitigation_remediation": ["Apply the latest patch or upgrade to Esri Portal for ArcGIS 11.5 that addresses the incorrect privilege assignment issue.", "Review and harden role\u2011based access controls to enforce the principle of least privilege, ensuring only authorized administrators can create developer credentials.", "Audit and monitor credential creation events for anomalous or unauthorized activity, and restrict developer credential use to necessity only."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Esri Corporation\u2019s Portal for ArcGIS product, specifically version 11.5 running on Windows and Linux operating systems.", "description_and_impact": "An incorrect privilege assignment flaw in Esri Portal for ArcGIS 11.5 on Windows and Linux permits a highly privileged user to create developer credentials that carry more permissions than intended. This flaw, classified as CWE-266, enables attackers who already possess elevated privileges to generate credentials that may compromise system integrity or provide unauthorized access to other resources.", "risk_and_exploitability": "The flaw has a CVSS score of 9.8, indicating an extremely high severity. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to already be a trusted, elevated user within the system; once that condition is met, they can exploit the bug by creating rogue credentials to rotate or elevate access levels. Given the high severity and the need for privileged access, organizations with Esri Portal for ArcGIS deployments should treat this as an urgent exposure."}}}}, "created": "2026-04-22T02:15:05.406159+00:00", "updated": "2026-04-22T04:45:09.351787+00:00", "vendors": ["esri", "esri$PRODUCT$portal_for_arcgis"]}