CVE-2026-33519

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 11.4 through 12.0

Description An incorrect authorization issue exists where the system fails to correctly check permissions assigned to developer credentials. This flaw allows low-privilege users to generate Portal Administrator tokens by exploiting a failure in the validation of permission scopes. These unauthorized tokens can persist even after the software is patched or the user password is changed.

Recommendations Update Esri Portal for ArcGIS to a version later than 12.0. Run the Esri Credential Check Tool to identify and purge unauthorized tokens. Enforce a global policy to remove malicious credentials that may have been generated prior to patching.