Do Son 
Esri has issued an urgent security bulletin regarding two critical vulnerabilities affecting developer credentials within ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise. The flaws, which carry a maximum Base CVSS score of 9.8, could allow for the creation of over-scoped credentials and unauthorized access to sensitive GIS infrastructure.
While ArcGIS Online and Location Platform were patched on April 13, 2026, the company warns that the Portal for ArcGIS security patches “should be installed with the highest priority”.
The bulletin details two primary security holes related to how developer credentials—such as API keys and OAuth 2.0 tokens—are assigned and checked.
- CVE-2026-33518 (CVSS 9.8): This “Incorrect Privilege Assignment” vulnerability exists in Portal for ArcGIS 11.5. It allows highly privileged users to “create developer credentials that may grant more privileges than expected”.
- CVE-2026-33519 (CVSS 9.8): This flaw involves an “Incorrect Authorization” vulnerability where the system “did not correctly check permissions assigned to developer credentials”. This impacts Portal for ArcGIS versions 11.4, 11.5, and 12.0.
The security patches for ArcGIS Enterprise are unique in that they include a proactive reset of permissions. Specifically, the updates for version 11.5 and 12.0 “reset potentially over-scoped developer credentials created by Portal for ArcGIS 11.5 back to expected default permissions”.
Esri notes that this reset is not expected to disrupt most use cases but advises that “the patch should be executed during an off-business hour period to minimize potential operational disruption”. Furthermore, administrators should be aware that “uninstalling the patch will NOT undo the permission changes” made to those credentials.
Organizations can determine their risk by checking their security settings. “If your organization does not utilize any developer credentials, including API keys or OAuth 2.0 credentials… your system is not vulnerable”.
To check for these credentials, administrators should navigate to: Organization settings / Security / Developer Credentials.
For those currently using developer credentials who cannot apply the patch immediately, Esri recommends “invalidating the developer credentials until the patch can be applied”.
Patches are currently available for Windows and Linux, while Kubernetes customers are instructed to apply 12.0 Update 3. Given the critical nature of these unauthorized access flaws, immediate validation and patching of all self-managed ArcGIS Enterprise portals is essential.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
