ArcGIS Blog

Administration

ArcGIS Trust Center

Apr 13, 2026

April 2026 ArcGIS Security Bulletin

By Mark Bierman and Michael Young and Randall Williams

ArcGIS Server Security 2026 Update 1 Patch has been released here.

This patch resolves 2 Medium severity vulnerabilities in ArcGIS Server versions 11.1 thru 11.5 on Windows and Linux.

This patch was released April 21, 2026. We strongly encourage ArcGIS Enterprise customers apply this patch within the next two weeks to minimize risk.

Important Notes:

  • Cumulative – This patch is cumulative and does not require that you install any previous ArcGIS Server Security patches prior to installing this patch – Using the Patch Notification Utilitycan help ease this process. This patch is NOT dependent on other patches to be in place. 
    • Note: This patch does not include fixes for issues previously addressed in ArcGIS Feature Server or Map Server vulnerabilities. It addresses issues in the ArcGIS Server application framework.
  • Mitigation – In order to mitigate these vulnerabilities, we strongly recommend all ArcGIS Enterprise customers install this patch as soon as possible.
  • Unaffected Versions – 12.0 is not affected by these vulnerabilities. Customers with security concerns should always maintain their deployments on the most recent release of ArcGIS Enterprise as it will always have the most up to date 3rd party libraries of any of our software versions in current support.
  • Unsupported and Mature Support Status – ArcGIS Server versions prior to 10.9.1 are retired or are in mature support status. These versions should be assumed vulnerable.

Portal for ArcGIS Security 2026 Update 1 Patch

Esri has discovered a security vulnerability with developer credentials affecting ArcGIS Online, ArcGIS Location Platform and ArcGIS Enterprise.

 

ArcGIS Online and ArcGIS Location Platform

Both were patched on 4/13/26, and only affected customers were notified via email that same day asking them to validate that the update did not affect their applications and scripts using developer credentials.

 

ArcGIS Enterprise

UPDATE 4/20 – 11.4 patches released

Portal for ArcGIS 11.5 and 12.0 security patches were initially released on 4/13/2026 and updated on 4/16/2026, resolving 2 critical severity vulnerabilities (11.4 patches were subsequently released on 4/20/26 – no other versions are applicable) – It should be installed with the highest priority.

The Portal for ArcGIS 11.5 and 12.0 patches reset potentially over-scoped developer credentials created by Portal for ArcGIS 11.5 back to expected default permissions.  This is not expected to disrupt most customer developer credential use cases, however the patch should be executed during an off-business hour period to minimize potential operational disruption.  Uninstalling the patch will NOT undo the permission changes of your developer credentials, so please backup your systems as recommended.

  • See Windows and Linux patch page here
  • Kubernetes customers should apply 12.0 Update 3 as described here

 

Mitigation

If your organization does not utilize any developer credentials, including API keys or OAuth 2.0 credentials for application authentication, your system is not vulnerable.  If your organization is unable to apply this patch in a timely manner and you currently utilize developer credentials, we recommend invalidating the developer credentials until the patch can be applied.

 

Developer Credential Check

Browse to Organization settings / Security / Developer Credentials.  If there are API keys or OAuth 2.0 credentials you have Developer Credentials.

 

Troubleshooting

If the reset of over-scoped developer credentials disrupts your script or app we recommend the following steps to resolve:

  1. Confirm all developer credentials in use by performing the Developer Credential Check above.
  2. Review the associated app or script which is failing and confirm which developer credential is the problem.
  3. Before making changes, we recommend reviewing current developer credential best practices listed in this announcement are being followed.
  4. Validate the permissions assigned to the developer credential and determine any additional script or app permission requirements by passing it as a parameter to the portal’s self resource.
    Example: curl https://www.arcgis.com/sharing/rest/community/self?f=pjson&token=[Your_API_Key]
  5. Determine if you can reduce the permission requirements of your app or script and make adjustments to those.
  6. If you have confirmed the elevated permissions are required for the developer credentials, you will need to reissue a new developer credential for your app/script, confirm your issue is addressed, and then delete the original developer credential.
  7. If you need additional guidance, reach out to our support team for assistance.

 

Best Practice

Esri and the software industry are moving away from using API keys for protecting sensitive content due to the inherent security risks they present.  Esri has recently updated developer credential documentation and posted/updated the following ArcGIS Trust Center content:

What If I Have Legacy API Keys Still?

  • While this vulnerability is not for legacy API keys, you should immediately apply this security patch, then replace any legacy API keys in alignment with the best practice recommendations above. Legacy API keys will all permanently expire on 6/27/26.

 

ArcGIS Enterprise Vulnerability Details

CVE-2026-33518

  • Description: An incorrect privilege assignment vulnerability exists that allows highly privileged users to create developer credentials that may grant more privileges than expected.
  • CWE-266: Incorrect Privilege Assignment
  • Base CVSS 3.1: 9.8
  • Temporal CVSS 3.1: 9.4
  • Affected: Portal for ArcGIS 11.5

CVE-2026-33519

  • Description: An incorrect authorization vulnerability exists that did not correctly check permissions assigned to developer credentials.
  • CWE-863: Incorrect Authorization
  • Base CVSS 3.1: 9.8
  • Temporal CVSS 3.1: 9.4
  • Affected: Portal for ArcGIS 11.4, 11.5, 12.0

CVE-2026-2813

  • Description: ArcGIS Server in certain federated configurations contains an input‑validation weakness in the login redirection workflow. When a user accesses a specially crafted authentication request, the application may redirect the browser to an unintended external location.
  • CWE‑601: URL Redirection to Untrusted Site (‘Open Redirect’)
  • Base CVSS 3.1: 5.3
  • Temporal CVSS 3.1:2
  • Affected: ArcGIS Server 11.5

CVE-2026-2812

  • Description: An unauthenticated endpoint in ArcGIS Server versions 11.5 and earlier allows an attacker to disable the Services Directory web interface. The issue does not affect service availability, API access, or data confidentiality and is limited to a low‑severity integrity impact.
  • CWE‑306: Missing Authentication for Critical Function
  • Base CVSS 3.1: 5.3
  • Temporal CVSS 3.1: 4.8
  • Affected: ArcGIS Server 11.1,11.2,11.3,11.4,11.5

 

Bulletin Update History:

  • 4/13 – Initial announcement
  • 4/14 – Patch temporarily disabled announcement
  • 4/15 – Clarification of affected customer notification day/mechanism & what Legacy API Key users should do
  • 4/16 – Updated Patch B version available
  • 4/20 – Portal for ArcGIS 11.4 patch released
  • 4/21 – CVE’s published publicly
  • 4/28 – ArcGIS Server Security 2026 Update 1 Patch has been released 4/21.

Share this article

administration administration arcgis trust center cve security ssamlmygp arcgis enterprise arcgis location platform arcgis online arcgis trust center

Commenting is not enabled for this article.