Esri Portal for ArcGIS Incorrect Authorization Vulnerability in Developer Credentials

A vulnerability allowing incorrect authorization has been identified in Esri Portal for ArcGIS versions 11.4, 11.5, and 12.0, across Windows, Linux, and Kubernetes platforms. This vulnerability arises from improper validation of permissions linked to developer credentials, which could lead to unauthorized access or actions.

Impact

Exploitation of this vulnerability could result in developer credentials being granted permissions that exceed the intended scope, potentially allowing for unauthorized actions or access within the application.

Remediation

Users of Esri Portal for ArcGIS 11.5 and 12.0 should apply the security patch released on 4/13/2026, with an updated patch version available as of 4/16/2026. Portal for ArcGIS 11.4 users can download the patch released on 4/20/2026. Kubernetes customers should apply ArcGIS Portal for ArcGIS 12.0 Update 3. After applying the patch, it is recommended to review and, if necessary, reissue developer credentials to ensure they have the correct permissions.