Critical auth flaw: CVE-2026-33519
- Researchers published an incorrect-authorization vulnerability identified as CVE-2026-33519. - The flaw carries a CVSS score of 9.8, classifying it as critically severe for access control. - Security advisories urged immediate remediation because successful exploitation could grant broad unauthorized access. (sherlockforensics.com)
A critical access-control flaw in Esri’s Portal for ArcGIS can let attackers get permissions they were not meant to have. (github.com) The bug is tracked as CVE-2026-33519 and was published on April 21, 2026, with a Common Vulnerability Scoring System score of 9.8 out of 10. GitHub’s advisory says it affects Portal for ArcGIS 11.4, 11.5, and 12.0 on Windows, Linux, and Kubernetes. (github.com) In plain terms, authorization is the rulebook that decides what an account can do after it signs in. In this case, Esri said Portal for ArcGIS “did not correctly check permissions assigned to developer credentials,” which could give a credential broader access than intended. (github.com) Portal for ArcGIS is the management hub inside ArcGIS Enterprise, where organizations store maps, layers, apps, and settings. Esri’s April 13, 2026 security bulletin said the issue affects developer credentials used across ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise. (esri.com) Esri told customers to check whether applications and scripts that use developer credentials still work after updating. The same bulletin said the patch “resets potentially over-scoped developer credentials,” which means some credentials may lose access after remediation and need review. (esri.com) Esri also issued a Portal for ArcGIS Security 2026 Update 1 Patch, with a release date of April 16, 2026 or later, and said systems that install the replacement build will show “Patch B.” The support notice says administrators do not need to uninstall the original patch before installing the new setup. (support.esri.com) The severity score reflects a worst-case remote attack path: network-based exploitation, low attack complexity, no privileges required, and no user interaction. The same advisory rates the possible impact on confidentiality, integrity, and availability as high. (github.com) Esri’s bulletin tied the fix to guidance from the Cybersecurity and Infrastructure Security Agency, which recommends applying critical patches within 15 days. That puts the immediate work on ArcGIS administrators: patch the portal, review developer credentials, and test any automation that depends on them. (esri.com)
