Esri Releases Critical Security Patches for ArcGIS Developer Credential Vulnerabilities
Take action: If you are using self-hosted ArcGIS portals, check if you are using API or OAuth2 keys. If you do, patch ASAP. Even if you don't use API or OAuth2 keys now, it's smart to patch because someone will use them soon. Until you patch, audit and disable your API keys and OAuth tokens until you patch.
Learn More
Esri released an urgent security bulletin on April 13, 2026, addressing two critical vulnerabilities in its ArcGIS ecosystem. The vulnerabilities allow for the creation and use of over-scoped credentials via API keys and OAuth 2.0 tokens , potentially granting unauthorized access to sensitive geographic data and system resources. Esri has already updated its cloud-based services, but on-premises administrators must take manual action to secure their environments.
Vulnerabilities summary:
- CVE-2026-33518 (CVSS score 9.8), an incorrect privilege assignment vulnerability in Portal for ArcGIS 11.5 that allows highly privileged users to generate developer credentials with more permissions than intended. This flaw is caused by a failure in the credential creation logic, which can lead to unintended administrative-level access for automated scripts or applications. Attackers could use these over-privileged tokens to perform actions far beyond the scope of a standard developer account.
- CVE-2026-33519 (CVSS score 9.8), an incorrect authorization vulnerability in Portal for ArcGIS 11.5 and 12.0 where the system fails to properly validate the permissions assigned to developer credentials. By exploiting this flaw, an attacker or a misconfigured application can bypass intended access controls to interact with restricted resources. The impact includes unauthorized data manipulation or exfiltration within the ArcGIS environment without proper authorization checks.
Organizations that do not use developer credentials, such as API keys or OAuth 2.0 credentials for application authentication, are not at risk. However, those utilizing these features must verify their security posture immediately to prevent unauthorized system takeover or data breaches.
The flaw affects ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise. Esri has applied patches to ArcGIS Online and ArcGIS Location Platform.
For on-premises users, the vulnerabilities impact Portal for ArcGIS versions 11.5 and 12.0. Esri released security patches for Windows and Linux environments, and Kubernetes customers are required to apply 12.0 Update 3 to resolve the authorization flaws.
Administrators should install the April 2026 security patches ASAP, ideally during off-business hours to minimize operational disruption. The patch automatically resets over-scoped credentials to default permissions, a change that cannot be undone by uninstalling the update. So system backups should be made before deployment.
If immediate patching is not possible, Esri recommends invalidating all active API and OAuth2 credentials until the environment is secured.
