CVE-2026-33518
Published: 21 April 2026
Summary
CVE-2026-33518 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Esri Portal For Arcgis. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-33518 is an incorrect privilege assignment vulnerability (CWE-266) affecting Esri Portal for ArcGIS version 11.5 on both Windows and Linux platforms. The issue enables highly privileged users to create developer credentials that grant more privileges than expected, potentially leading to unauthorized elevation within the system. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Highly privileged users can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows attackers to generate developer credentials with unintended elevated privileges, which could result in high confidentiality, integrity, and availability impacts, such as unauthorized data access, system modifications, or service disruptions.
The Esri April 2026 security bulletin provides details on mitigation and patching: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24337
Vulnerability details
An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect privilege assignment in credential creation directly enables unauthorized elevation of privileges by highly privileged users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses incorrect privilege assignment by enforcing that developer credentials created by highly privileged users are limited to the minimum privileges necessary for their roles.
Requires systematic management of accounts and privileges to prevent the creation of developer credentials with unintended elevated privileges.
Remediates the specific software flaw in Esri Portal for ArcGIS that enables highly privileged users to generate over-privileged developer credentials.