{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33518", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2026-03-20T17:25:24.409Z", "datePublished": "2026-04-21T20:37:52.198Z", "dateUpdated": "2026-04-21T20:37:52.198Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "Portal for ArcGIS", "vendor": "Esri", "versions": [{"status": "affected", "version": "11.5"}]}], "datePublic": "2026-04-20T20:37:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: oklch(1 0 0);\">An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.</span>"}], "value": "An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment (4.19.1)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-04-21T20:37:52.198Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "source": {"defect": ["BUG-000183038 \u2013 Portal for ArcGIS has a security vulnerability"], "discovery": "UNKNOWN"}, "title": "Incorrect privilege assignment in Portal for ArcGIS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected."}], "id": "CVE-2026-33518", "lastModified": "2026-04-21T21:16:29.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@esri.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:29.490", "references": [{"source": "psirt@esri.com", "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "psirt@esri.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "linux"], "status": "affected", "versions": {"scheme": "generic", "value": "11.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Portal for ArcGIS", "source": "cna", "vendor": "Esri"}, "product": "portal_for_arcgis", "vendor": "esri"}], "analysis": {"en": {"generated_at": "2026-04-22T02:14:03.365534+00:00", "value": {"mitigation_remediation": ["Apply the latest patch or upgrade to Esri Portal for ArcGIS 11.5 that addresses the incorrect privilege assignment issue.", "Review and harden role\u2011based access controls to enforce the principle of least privilege, ensuring only authorized administrators can create developer credentials.", "Audit and monitor credential creation events for anomalous or unauthorized activity, and restrict developer credential use to necessity only."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Esri Corporation\u2019s Portal for ArcGIS product, specifically version 11.5 running on Windows and Linux operating systems.", "description_and_impact": "An incorrect privilege assignment flaw in Esri Portal for ArcGIS 11.5 on Windows and Linux permits a highly privileged user to create developer credentials that carry more permissions than intended. This flaw, classified as CWE-266, enables attackers who already possess elevated privileges to generate credentials that may compromise system integrity or provide unauthorized access to other resources.", "risk_and_exploitability": "The flaw has a CVSS score of 9.8, indicating an extremely high severity. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to already be a trusted, elevated user within the system; once that condition is met, they can exploit the bug by creating rogue credentials to rotate or elevate access levels. Given the high severity and the need for privileged access, organizations with Esri Portal for ArcGIS deployments should treat this as an urgent exposure."}}}}, "created": "2026-04-22T02:15:05.406159+00:00", "updated": "2026-04-22T04:00:07.647581+00:00", "vendors": ["esri", "esri$PRODUCT$portal_for_arcgis"]}