PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33518 Esri CVE debrief

CVE-2026-33518 is a critical vulnerability in Esri Portal for ArcGIS 11.5 on Windows and Linux. The issue is described as an incorrect privilege assignment that can allow developer credentials to end up with more privileges than expected. NVD rates the flaw as CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), so defenders should treat it as urgent even though the vendor-facing description centers on privilege handling. The main risk is unauthorized elevation of capability inside Portal for ArcGIS, which can translate into broad confidentiality, integrity, and availability impact if abused. The supplied record cites Esri’s April 2026 security bulletin as the vendor reference and maps the weakness to CWE-266 (incorrect privilege assignment).

Vendor
Esri
Product
Portal For Arcgis
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-05-18
Advisory published
2026-04-21
Advisory updated
2026-05-18

Who should care

Organizations running Esri Portal for ArcGIS 11.5 on Windows or Linux, especially administrators who issue or manage developer credentials, should treat this as high priority. Security teams responsible for identity, access control, and application administration should also review it.

Technical summary

The vulnerability is an incorrect privilege assignment in Esri Portal for ArcGIS 11.5. According to the supplied vendor description, highly privileged users may be able to create developer credentials that grant more privileges than intended. The NVD record classifies the issue as analyzed, references Esri’s April 2026 security bulletin, and assigns CWE-266. NVD also reports a critical CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Critical. This is a network-relevant, high-impact authorization flaw in a core ArcGIS component. Prioritize patching or vendor-guided mitigation, verify whether Portal for ArcGIS 11.5 is present, and review credential issuance paths immediately.

Recommended defensive actions

  • Check whether Esri Portal for ArcGIS 11.5 is deployed anywhere in your environment, on either Windows or Linux.
  • Review Esri’s April 2026 security bulletin and apply the vendor-recommended fix or mitigation as soon as possible.
  • Audit any developer credential creation and privilege assignment workflows for unexpected elevation paths.
  • Limit and monitor administrative access that can create or manage developer credentials.
  • Review logs and authorization events for unusual credential creation or privilege changes.
  • Update asset inventories and incident response runbooks to include Portal for ArcGIS 11.5 as a priority application.
  • If immediate patching is not possible, follow vendor guidance and restrict exposure of administrative interfaces as much as operationally feasible.

Evidence notes

Evidence in the supplied record comes from NVD’s analyzed CVE entry and the linked Esri April 2026 security bulletin. NVD lists the affected product as Esri Portal for ArcGIS 11.5 and records the weakness as CWE-266. The record also supplies a critical CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). No KEV listing or ransomware-campaign linkage is present in the supplied data.

Official resources

CVE published 2026-04-21 and last modified 2026-05-18 in the supplied record. No KEV dates are provided, and the supplied data does not indicate known ransomware-campaign use.