Cyber Resilience

CVE-2026-33518

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 21.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33518 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Esri Portal For Arcgis. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33518 is an incorrect privilege assignment vulnerability (CWE-266) affecting Esri Portal for ArcGIS version 11.5 on both Windows and Linux platforms. The issue enables highly privileged users to create developer credentials that grant more privileges than expected, potentially leading to unauthorized elevation within the system. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Highly privileged users can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows attackers to generate developer credentials with unintended elevated privileges, which could result in high confidentiality, integrity, and availability impacts, such as unauthorized data access, system modifications, or service disruptions.

The Esri April 2026 security bulletin provides details on mitigation and patching: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Incorrect privilege assignment in credential creation directly enables unauthorized elevation of privileges by highly privileged users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33519Same product: Esri Portal For Arcgis
CVE-2024-51459Same product: Linux Linux Kernel
CVE-2026-8036Same product: Linux Linux Kernel
CVE-2026-26131Same product: Linux Linux Kernel
CVE-2024-51954Same product: Linux Linux Kernel
CVE-2026-20804Same vendor: Microsoft
CVE-2026-9926Same product: Linux Linux Kernel
CVE-2026-7919Same product: Linux Linux Kernel
CVE-2025-23303Same product: Linux Linux Kernel
CVE-2026-9946Same product: Linux Linux Kernel

Affected Assets

esri
portal for arcgis
11.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses incorrect privilege assignment by enforcing that developer credentials created by highly privileged users are limited to the minimum privileges necessary for their roles.

prevent

Requires systematic management of accounts and privileges to prevent the creation of developer credentials with unintended elevated privileges.

prevent

Remediates the specific software flaw in Esri Portal for ArcGIS that enables highly privileged users to generate over-privileged developer credentials.

References