CRITICAL🇵🇱 Wersja polska

CVE-2026-33518

CVSS 9.8v3.1pub. 2026-04-21upd. 2026-05-18

An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.

🤖 AI Analysis
How it works

The vulnerability stems from incorrect permission assignment logic when creating so-called developer credentials in the portal. A highly privileged user can generate such credentials that effectively obtain a broader scope of access rights than would be implied by the system's intended policy. The privilege control mechanism does not properly restrict the scope of permissions granted to newly created credentials.

Impact

An attacker who already possesses a high level of privileges can escalate their capabilities by creating developer credentials with unexpectedly broad scope of permissions, which may lead to unauthorized access to resources, breach of confidentiality, integrity, and availability of data in the portal.

Mitigation & patch

Apply patches available from the vendor according to the references — detailed information is contained in the Esri security bulletin from April 2026 available at the address indicated in the product references.

Who is affected

Esri Portal for ArcGIS 11.5 on Windows and Linux systems

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Esri Portal For Arcgis

    APP
    Esri
    11.5
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit