Home / Vulnerability Intelligence / CVE-2026-33518

CVE-2026-33518 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 21, 2026

Esri Portal for ArcGIS - Broken Access Control

Published: April 21, 2026Updated: April 21, 2026Remote Exploitable

Overview

Esri Portal for ArcGIS 11.5 contains an incorrect privilege assignment vulnerability caused by improper privilege settings, letting highly privileged users create developer credentials with excessive privileges, exploit requires high privilege user access.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Highly privileged users can create developer credentials with elevated privileges, potentially leading to privilege escalation.

Mitigation

Update to the latest version of Esri Portal for ArcGIS.

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

Related Resources

Details

CVE ID: CVE-2026-33518
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: new

CWE

CWE-266

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H