An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.
Portal for ArcGIS improperly verifies permissions assigned to developer credentials, which means that access control is not enforced according to the intended permission model. A remote, unauthenticated attacker can exploit the misconfigured authorization mechanism to gain access to resources or operations for which they should not have permissions. The vulnerability affects installations on Windows, Linux, and Kubernetes platforms.
An attacker can obtain unauthorized access to sensitive data, modify portal resources, or disrupt its availability, which corresponds to a complete breach of system confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).
Patches available from the manufacturer should be applied according to references — detailed information about fixes is contained in the Esri security bulletin from April 2026 available at: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin
Esri Portal for ArcGIS in versions 11.4, 11.5, and 12.0 on Windows, Linux, and Kubernetes systems.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEsri Portal For Arcgis
APPEsri11.411.512.0Kubernetes
APPKuberneteswszystkie wersjeLinux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit