CRITICAL🇵🇱 Wersja polska

CVE-2026-33519

CVSS 9.8v3.1pub. 2026-04-21upd. 2026-05-18

An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

🤖 AI Analysis
How it works

Portal for ArcGIS improperly verifies permissions assigned to developer credentials, which means that access control is not enforced according to the intended permission model. A remote, unauthenticated attacker can exploit the misconfigured authorization mechanism to gain access to resources or operations for which they should not have permissions. The vulnerability affects installations on Windows, Linux, and Kubernetes platforms.

Impact

An attacker can obtain unauthorized access to sensitive data, modify portal resources, or disrupt its availability, which corresponds to a complete breach of system confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).

Mitigation & patch

Patches available from the manufacturer should be applied according to references — detailed information about fixes is contained in the Esri security bulletin from April 2026 available at: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

Who is affected

Esri Portal for ArcGIS in versions 11.4, 11.5, and 12.0 on Windows, Linux, and Kubernetes systems.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Esri Portal For Arcgis

    APP
    Esri
    11.411.512.0
  • Kubernetes

    APP
    Kubernetes
    wszystkie wersje
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit