An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
The vulnerability stems from incorrect permission assignment logic when creating so-called developer credentials in the portal. A highly privileged user can generate such credentials that effectively obtain a broader scope of access rights than would be implied by the system's intended policy. The privilege control mechanism does not properly restrict the scope of permissions granted to newly created credentials.
An attacker who already possesses a high level of privileges can escalate their capabilities by creating developer credentials with unexpectedly broad scope of permissions, which may lead to unauthorized access to resources, breach of confidentiality, integrity, and availability of data in the portal.
Apply patches available from the vendor according to the references — detailed information is contained in the Esri security bulletin from April 2026 available at the address indicated in the product references.
Esri Portal for ArcGIS 11.5 on Windows and Linux systems
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEsri Portal For Arcgis
APPEsri11.5Linux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit