CVE-2026-33519 Esri CVE debrief

Who should care

Administrators, security teams, and monitoring staff responsible for Esri Portal for ArcGIS 11.4, 11.5, or 12.0 deployments should treat this as urgent. This is especially important where developer credentials are used or where Portal for ArcGIS is exposed to broader network access.

Technical summary

The official description says Portal for ArcGIS did not correctly check permissions assigned to developer credentials. NVD maps the issue to CWE-266 and publishes CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The NVD vulnerable CPE list identifies Esri Portal for ArcGIS 11.4, 11.5, and 12.0 as affected.

Defensive priority

Immediate

Recommended defensive actions

• Inventory all Esri Portal for ArcGIS installations and confirm whether any instance is running 11.4, 11.5, or 12.0.
• Review Esri’s April 2026 security bulletin and apply the vendor’s recommended remediation as soon as it is available.
• Limit and audit use of developer credentials until affected systems are remediated.
• Review authentication and authorization logs for unexpected developer-credential activity or unusual privilege use.
• If remediation is delayed, reduce exposure of administrative interfaces and keep access tightly restricted to trusted management paths.

Evidence notes

Based only on the supplied official sources: the NVD record for CVE-2026-33519 and Esri’s April 2026 security bulletin reference. NVD marks the vulnerability status as analyzed, lists CVSS 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and identifies CWE-266. The supplied enrichment marks isKev=false and provides no CISA KEV dates.

Official resources