April 2026 ArcGIS Security Bulletin

Esri has discovered a security vulnerability with developer credentials affecting ArcGIS Online, ArcGIS Location Platform and ArcGIS Enterprise.

ArcGIS Online and ArcGIS Location Platform

Both were patched on 4/13/26, and only affected customers notified asking them to validate that the update did not affect their applications and scripts using developer credentials.

ArcGIS Enterprise

Security patch released concurrently on 4/13/2026, resolving 2 critical severity vulnerabilities in Portal for ArcGIS 11.5 and 12.0 – It should be installed with the highest priority.  The patch resets potentially over-scoped developer credentials created by Portal for ArcGIS 11.5 back to expected default permissions.  This is not expected to disrupt most customer developer credential use cases, however the patch should be executed during an off-business hour period to minimize potential operational disruption.  Uninstalling the patch will NOT undo the permission changes of your developer credentials, so please backup your systems as recommended.

• See Windows and Linux patch page here
• Kubernetes customers should apply 12.0 Update 3 as described here

Mitigation

If your organization does not utilize any developer credentials, including API keys or OAuth 2.0 credentials for application authentication, your system is not vulnerable.  If your organization is unable to apply this patch in a timely manner and you currently utilize developer credentials, we recommend invalidating the developer credentials until the patch can be applied.

Developer Credential Check

Browse to Organization settings / Security / Developer Credentials.  If there are API keys or OAuth 2.0 credentials you have Developer Credentials.

Troubleshooting

If the reset of over-scoped developer credentials disrupts your script or app we recommend the following steps to resolve:

1. Confirm all developer credentials in use by performing the Developer Credential Check above.
2. Review the associated app or script which is failing and confirm which developer credential is the problem.
3. Before making changes, we recommend reviewing current developer credential best practices listed in this announcement are being followed.
4. Validate the permissions assigned to the developer credential and determine any additional script or app permission requirements by passing it as a parameter to the portal’s self resource.
   Example: curl https://www.arcgis.com/sharing/rest/community/self?f=pjson&token=[Your_API_Key]
5. Determine if you can reduce the permission requirements of your app or script and make adjustments to those.
6. If you have confirmed the elevated permissions are required for the developer credentials, you will need to reissue a new developer credential for your app/script, confirm your issue is addressed, and then delete the original developer credential.
7. If you need additional guidance, reach out to our support team for assistance.

Best Practice

Esri and the software industry are moving away from using API keys for protecting sensitive content due to the inherent security risks they present.  Esri has recently updated developer credential documentation and posted/updated the following ArcGIS Trust Center content:

• Enterprise Hardening Guidance
• 2026 Dev Summit Security Presentation
• ArcGIS Developer Credential best practices blog/video

ArcGIS Enterprise Vulnerability Details

CVE-2026-33518

• Description: An incorrect privilege assignment vulnerability exists that allows highly privileged users to create developer credentials that may grant more privileges than expected.
• CWE-266: Incorrect Privilege Assignment
• Base CVSS 3.1: 9.8
• Temporal CVSS 3.1: 9.4
• Affected: Portal for ArcGIS 11.5

CVE-2026-33519

• Description: An incorrect authorization vulnerability exists that did not correctly check permissions assigned to developer credentials.
• CWE-863: Incorrect Authorization
• Base CVSS 3.1: 9.8
• Temporal CVSS 3.1: 9.4
• Affected: Portal for ArcGIS 11.5, 12.0