{"id":2961441,"date":"2026-05-04T10:00:25","date_gmt":"2026-05-04T17:00:25","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=2961441"},"modified":"2026-05-12T11:32:10","modified_gmt":"2026-05-12T18:32:10","slug":"april2026_security_bulletin","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin","title":{"rendered":"April 2026 ArcGIS Security Bulletin"},"author":136891,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[43671,24081,759222,24071,780941],"industry":[],"product":[36571,761642,36551,763582],"class_list":["post-2961441","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-administration","tag-ssamymlgp","tag-cve","tag-security","tag-ssamlmygp","product-arcgis-enterprise","product-platform","product-arcgis-online","product-trust-arcgis"],"acf":{"authors":[{"ID":136891,"user_firstname":"Mark","user_lastname":"Bierman","nickname":"Mark Bierman","user_nicename":"mbierman","display_name":"Mark Bierman","user_email":"MBierman@esri.com","user_url":"","user_registered":"2020-12-08 21:10:04","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2023\/06\/softwaresecurity-213x200.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"},{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"},{"ID":5311,"user_firstname":"Randall","user_lastname":"Williams","nickname":"Randall Williams","user_nicename":"randallwilliams","display_name":"Randall Williams","user_email":"randall_williams@esri.com","user_url":"https:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:17:03","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}],"short_description":"The Esri April 2026 security bulletin contains information related to security fixes provided by Esri. ","flexible_content":[{"acf_fc_layout":"sidebar","content":"<p><strong>Key highlights<\/strong><\/p>\n<ul>\n<li>Esri now provides security bulletins containing details with details about security vulnerabilities and patches.<\/li>\n<li><strong>Portal for ArcGIS Security 2026 Update 1 Patch<\/strong>\n<ul>\n<li>Portal for ArcGIS 11.4, 11.5, and 12.0 require a security patch<\/li>\n<li>US CISA recommends applying Critical Security patches within 15 days<\/li>\n<li>Patch\/update resets potentially over-scoped developer credentials<\/li>\n<li>Check if your applications\/scripts using developer credentials are fully operational after update<\/li>\n<\/ul>\n<\/li>\n<li><strong>ArcGIS Server Security 2026 Update 1 Patch<\/strong>\n<ul>\n<li>This patch resolves 2 Medium severity vulnerabilities in ArcGIS Server versions 11.1 thru 11.5 on Windows and Linux.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","image_reference":false,"layout":"standard","image_reference_figure":"","snippet":"","spotlight_name":"","section_title":"","position":"Right","spotlight_image":false},{"acf_fc_layout":"content","content":"<p>Starting April 2026, the Esri Software Security and Privacy team provides customers with monthly patch bulletins. This allows customers an at-a-glance view of all security patches Esri releases on a monthly basis.<\/p>\n<p><strong>Bulletin Update History:<\/strong><\/p>\n<p>4\/13 &#8211; Initial announcement<strong><span class=\"uiOutputText\" dir=\"ltr\">:\u00a0<\/span><\/strong>Portal for ArcGIS Security 2026 Update 1 Patch<\/p>\n<p>4\/14 &#8211;\u00a0Portal for ArcGIS Security 2026 Update 1 Patch\u00a0temporarily disabled announcement<\/p>\n<p>4\/15 &#8211; Portal for ArcGIS Security 2026 Update 1 Patch\u00a0Clarification of affected customer notification day\/mechanism &amp; what Legacy API Key users should do<\/p>\n<p>4\/16 &#8211; Portal for ArcGIS Security 2026 Update 1 Patch Updated Patch B version available<\/p>\n<p>4\/20 &#8211; Portal for ArcGIS Security 2026 Update 1 Patch: Portal for ArcGIS 11.4 patch released<\/p>\n<p>4\/21 &#8211; Portal for ArcGIS Security 2026 Update 1 Patch CVEs published publicly<\/p>\n<p>4\/28 &#8211; ArcGIS Server Security 2026 Update 1 Patch has been released 4\/21.<\/p>\n<p>5\/12 &#8211; ArcGIS Server Security 2026 Update 1 Patch CVEs published publicly<\/p>\n"},{"acf_fc_layout":"content","content":"<p><strong><span class=\"uiOutputText\" dir=\"ltr\">May 4, 2026: <\/span><\/strong><strong>Portal for ArcGIS Security 2026 Update 1 Patch<\/strong><\/p>\n<p>Esri has discovered a security vulnerability with developer credentials affecting ArcGIS Online, ArcGIS Location Platform and ArcGIS Enterprise.<\/p>\n<h4><strong>ArcGIS Online and ArcGIS Location Platform<\/strong><\/h4>\n<p>Both were patched on 4\/13\/26, and only affected customers were notified via email that same day asking them to validate that the update did not affect their applications and scripts using developer credentials.<\/p>\n<h4><strong>ArcGIS Enterprise<\/strong><\/h4>\n<p><strong>UPDATE April 20, 2026 &#8211; 11.4 patches released<\/strong><\/p>\n<ul>\n<li>Portal for ArcGIS 11.5 and 12.0 security patches were initially released on 4\/13\/2026 and updated on 4\/16\/2026, resolving 2 <strong>critical severity<\/strong> vulnerabilities (11.4 patches were subsequently released on 4\/20\/26 &#8211; no other versions are applicable) &#8211; It should be installed with the highest priority.<\/li>\n<li>The Portal for ArcGIS 11.5 and 12.0 patches reset potentially over-scoped developer credentials created by Portal for ArcGIS 11.5 back to expected default permissions.\u00a0 This is not expected to disrupt most customer developer credential use cases, however the patch should be executed during an off-business hour period to minimize potential operational disruption.\u00a0 <em>Uninstalling the patch will NOT undo the permission changes of your developer credentials<\/em>, so please backup your systems as recommended.<\/li>\n<li>See Windows and Linux patch page <a href=\"https:\/\/support.esri.com\/en-us\/patches-updates\/2026\/portal-for-arcgis-security-2026-update-1-patch\">here<\/a><\/li>\n<li>Kubernetes customers should apply 12.0 Update 3 as described <a href=\"https:\/\/enterprise-k8s.arcgis.com\/en\/latest\/introduction\/release-notes.htm#ESRI_SECTION1_3E42872E67AE413B9DF43A77ABD4E73F\">here<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><strong>Mitigation<\/strong><\/h4>\n<ul>\n<li>If your organization does not utilize any developer credentials, including API keys or OAuth 2.0 credentials for application authentication, your system is not vulnerable.\u00a0 If your organization is unable to apply this patch in a timely manner and you currently utilize developer credentials, we recommend <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/api-key-authentication\/api-key-credentials\/location-platform\/#invalidate-an-api-key\">invalidating the developer credentials<\/a> until the patch can be applied.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><strong>Developer Credential Check<\/strong><\/h4>\n<ul>\n<li>Browse to Organization settings \/ Security \/ Developer Credentials.\u00a0 If there are API keys or OAuth 2.0 credentials you have Developer Credentials.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><b>Troubleshooting<\/b><\/h4>\n<p>If the reset of over-scoped developer credentials disrupts your script or app we recommend the following steps to resolve:<\/p>\n<ol>\n<li>Confirm all developer credentials in use by performing the <b>Developer Credential Check<\/b> above.<\/li>\n<li>Review the associated app or script which is failing and confirm which developer credential is the problem.<\/li>\n<li>Before making changes, we recommend reviewing current developer credential <b>best practices<\/b> listed in this announcement are being followed.<\/li>\n<li><a href=\"https:\/\/enterprise.arcgis.com\/en\/portal\/latest\/administer\/windows\/roles.htm\">Validate the permissions assigned<\/a> to the developer credential and determine any additional script or app permission requirements by passing it as a parameter to the portal&#8217;s self resource.<br \/>\nExample: <em>curl <a href=\"https:\/\/www.arcgis.com\/sharing\/rest\/community\/self?f=pjson&amp;token=[Your_API_Key]\">https:\/\/www.arcgis.com\/sharing\/rest\/community\/self?f=pjson&amp;token=[Your_API_Key]<\/a><\/em><\/li>\n<li>Determine if you can reduce the permission requirements of your app or script and make adjustments to those.<\/li>\n<li>If you have confirmed the elevated permissions are required for the developer credentials, you will need to reissue a new developer credential for your app\/script, confirm your issue is addressed, and then delete the original developer credential.<\/li>\n<li>If you need additional guidance, reach out to Esri support services for assistance.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h4><strong>Best Practice<\/strong><\/h4>\n<p>Esri and the software industry are moving away from using API keys for protecting sensitive content due to the inherent security risks they present.\u00a0 Esri has recently updated developer credential documentation and posted\/updated the following ArcGIS Trust Center content:<\/p>\n<ul>\n<li><a href=\"https:\/\/downloads.esri.com\/RESOURCES\/ENTERPRISEGIS\/ArcGIS_Enterprise_Hardening_Guide.pdf\">Enterprise Hardening Guidance<\/a><\/li>\n<li><a href=\"https:\/\/content.esri.com\/resources\/enterprisegis\/building_security_into_your_arcgis_system.pdf\">2026 Dev Summit Security Presentation<\/a><\/li>\n<li><a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\">ArcGIS Developer Credential best practices blog\/video<\/a><\/li>\n<\/ul>\n<p><strong>What If I Still Have Legacy API Keys?<\/strong><\/p>\n<ul>\n<li>While this vulnerability is not for legacy API keys, you should immediately apply this security patch, then replace any legacy API keys in alignment with the best practice recommendations above. <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/api-key-authentication\/api-key-legacy\/\">Legacy API keys <\/a>will all permanently expire on 6\/27\/26.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n"},{"acf_fc_layout":"content","content":"<h4><strong>Vulnerability Details<\/strong><\/h4>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33518\"><em><strong>CVE-2026-33518<\/strong><\/em><\/a><\/p>\n<ul>\n<li><strong>Description<\/strong>: An incorrect privilege assignment vulnerability exists in that allows highly privileged users to create developer credentials that may grant more privileges than expected.<\/li>\n<li><strong><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/266.html\">CWE-266<\/a>:<\/strong> Incorrect Privilege Assignment<\/li>\n<li><strong>Base CVSS 3.1:<\/strong> <a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H\">9.8<\/a><\/li>\n<li><strong>Temporal CVSS 3.1:<\/strong>\u00a0<a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H\/E:H\/RL:O\/RC:C\">9.4<\/a><\/li>\n<li><strong>Affected:<\/strong> Portal for ArcGIS 11.5<\/li>\n<li style=\"list-style-type: none\"><\/li>\n<\/ul>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33519\"><em><strong>CVE-2026-33519<\/strong><\/em><\/a><\/p>\n<ul>\n<li><strong>Description:<\/strong> An incorrect authorization vulnerability exists that did not correctly check permissions assigned to developer credentials.<\/li>\n<li><strong><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/863.html\">CWE-863<\/a>:<\/strong> Incorrect Authorization<\/li>\n<li><strong>Base CVSS 3.1:<\/strong> <a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H\">9.8<\/a><\/li>\n<li><strong>Temporal CVSS 3.1:<\/strong>\u00a0<a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H\/E:H\/RL:O\/RC:C\">9.4<\/a><\/li>\n<li><strong>Affected:<\/strong> Portal for ArcGIS 11.4, 11.5, 12.0<\/li>\n<\/ul>\n<p><strong>_________________________________________________________________________<\/strong><\/p>\n"},{"acf_fc_layout":"content","content":"<p><strong>May 4, 2026: ArcGIS Server Security 2026 Update 1 Patch has been released <a href=\"https:\/\/support.esri.com\/en-us\/patches-updates\/2026\/arcgis-server-security-2026-update-1-patch\">here<\/a>.<\/strong><\/p>\n<ul>\n<li>This patch resolves 2 Medium severity vulnerabilities in ArcGIS Server versions 11.1 thru 11.5 on Windows and Linux.<\/li>\n<li>This patch was released April 21, 2026. We strongly encourage ArcGIS Enterprise customers apply this patch within the next two weeks to minimize risk.<\/li>\n<\/ul>\n<p><strong>Important Notes:<\/strong><\/p>\n<ul>\n<li><strong>Cumulative\u00a0<\/strong>\u2013 This patch is cumulative and does not require that you install any previous ArcGIS Server Security patches prior to installing this patch \u2013 Using the Patch Notification Utility can help ease this process. This patch is NOT dependent on other patches to be in place.<br \/>\n<strong>Note:<\/strong> This patch does not include fixes for issues previously addressed in ArcGIS Feature Server or Map Server vulnerabilities. It addresses issues in the ArcGIS Server application framework.<\/li>\n<li><strong>Mitigation<\/strong> \u2013 In order to mitigate these vulnerabilities, we strongly recommend all ArcGIS Enterprise customers install this patch as soon as possible.<\/li>\n<li><strong>Unaffected Versions<\/strong> \u2013 ArcGIS Server 12.0 is not affected by these vulnerabilities. Customers with security concerns should always maintain their deployments on the most recent release of ArcGIS Enterprise as it will always have the most up to date 3rd party libraries of any of our software versions in current support.<\/li>\n<li><strong>Unsupported and Mature Support Status<\/strong>\u00a0\u2013\u00a0ArcGIS Server versions prior to 10.9.1 are retired or are in mature support status. These versions should be assumed vulnerable.<\/li>\n<li><strong>Important Note\u00a0\u2013 May 4, 2026<\/strong>:\u00a0The 11.4\u00a0version of the ArcGIS Server Security 2026 Update 1 Patch\u00a0has been updated to address BUG-000184550.\u00a0Please install the new setup by downloading from this page or using the ArcGIS Enterprise Patch Notification Tool. It is not necessary to uninstall the original patch; the new setup will install and replace the original patch.\u00a0The new patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as ArcGIS Server Security 2026 Update 1 Patch\u00a0with a release date of May 4, 2026;\u00a0once installed, it is listed as ArcGIS Server Security 2026 Update 1 Patch B.<\/li>\n<\/ul>\n"},{"acf_fc_layout":"content","content":"<p><strong>_________________________________________________________________________<\/strong><\/p>\n"},{"acf_fc_layout":"content","content":"<h4><strong>Vulnerability Details<\/strong><\/h4>\n<p><strong><em><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-2813\">CVE-2026-2813<\/a><\/em><\/strong><\/p>\n<ul>\n<li><strong>Description:\u00a0A<\/strong>rcGIS Server in certain federated configurations contains an input\u2011validation weakness in the login redirection workflow. When a user accesses a specially crafted authentication request, the application may redirect the browser to an unintended external location.<u><\/u><\/li>\n<li><strong><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/601.html\">CWE\u2011601<\/a><\/strong><strong>: <\/strong>URL Redirection to Untrusted Site (\u2018Open Redirect\u2019)<\/li>\n<li><strong>Base CVSSv3.1:<\/strong>\u00a0<a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:N\/A:N\/E:P\/RL:O\/RC:C\">4.7<\/a><\/li>\n<li><strong>Temporal CVSSv3.1:<\/strong><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:N\/A:N\/E:P\/RL:O\/RC:C\">4.2<\/a><\/li>\n<li><strong>Affected:\u00a0<\/strong>ArcGIS Server 11.5<\/li>\n<\/ul>\n<p><em><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-2812\"><strong>CVE-2026-2812<\/strong><\/a><\/em><\/p>\n<ul>\n<li><strong>Description:\u00a0<\/strong>An unauthenticated endpoint in ArcGIS Server versions 11.5 and earlier allows an attacker to disable the Services Directory web interface. The issue does not affect service availability, API access, or data confidentiality and is limited to a low\u2011severity integrity impact.<\/li>\n<li><strong><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/306.html\">CWE\u2011306<\/a><\/strong><strong>: <\/strong>Missing Authentication for Critical Function<\/li>\n<li><strong>Base CVSSv3.1:<\/strong><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N\/E:P\/RL:O\/RC:C\">5.3<\/a><\/li>\n<li><strong>Temporal CVSSv3.1:<\/strong><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N\/E:P\/RL:O\/RC:C\">4.8<\/a><\/li>\n<li><strong>Affected:\u00a0<\/strong>ArcGIS Server 11.1,11.2,11.3,11.4,11.5<\/li>\n<\/ul>\n"}],"related_articles":"","show_article_image":true,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/07\/SA-Portal.gif","wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>April 2026 ArcGIS Security Bulletin<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"April 2026 ArcGIS Security Bulletin\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-12T18:32:10+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\"},\"author\":{\"name\":\"Mark Bierman\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/928a9a9a1a21dc0cf370b54b135e73ed\"},\"headline\":\"April 2026 ArcGIS Security Bulletin\",\"datePublished\":\"2026-05-04T17:00:25+00:00\",\"dateModified\":\"2026-05-12T18:32:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\"},\"wordCount\":4,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"administration\",\"ArcGIS Trust Center\",\"CVE\",\"Security\",\"SSAMLMYGP\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\",\"name\":\"April 2026 ArcGIS Security Bulletin\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2026-05-04T17:00:25+00:00\",\"dateModified\":\"2026-05-12T18:32:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"April 2026 ArcGIS Security Bulletin\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/928a9a9a1a21dc0cf370b54b135e73ed\",\"name\":\"Mark Bierman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2023\/06\/softwaresecurity-213x200.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2023\/06\/softwaresecurity-213x200.png\",\"caption\":\"Mark Bierman\"},\"url\":\"\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"April 2026 ArcGIS Security Bulletin","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin","og_locale":"en_US","og_type":"article","og_title":"April 2026 ArcGIS Security Bulletin","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2026-05-12T18:32:10+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin"},"author":{"name":"Mark Bierman","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/928a9a9a1a21dc0cf370b54b135e73ed"},"headline":"April 2026 ArcGIS Security Bulletin","datePublished":"2026-05-04T17:00:25+00:00","dateModified":"2026-05-12T18:32:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin"},"wordCount":4,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["administration","ArcGIS Trust Center","CVE","Security","SSAMLMYGP"],"articleSection":["Administration"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin","name":"April 2026 ArcGIS Security Bulletin","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2026-05-04T17:00:25+00:00","dateModified":"2026-05-12T18:32:10+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"April 2026 ArcGIS Security Bulletin"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/928a9a9a1a21dc0cf370b54b135e73ed","name":"Mark Bierman","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2023\/06\/softwaresecurity-213x200.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2023\/06\/softwaresecurity-213x200.png","caption":"Mark Bierman"},"url":""}]}},"text_date":"May 4, 2026","author_name":"Multiple Authors","author_page":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/april2026_security_bulletin","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[{"term_id":43671,"name":"administration","slug":"administration","term_group":0,"term_taxonomy_id":43671,"taxonomy":"post_tag","description":"","parent":0,"count":53,"filter":"raw"},{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":759222,"name":"CVE","slug":"cve","term_group":0,"term_taxonomy_id":759222,"taxonomy":"post_tag","description":"","parent":0,"count":32,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":126,"filter":"raw"},{"term_id":780941,"name":"SSAMLMYGP","slug":"ssamlmygp","term_group":0,"term_taxonomy_id":780941,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":429,"filter":"raw"}],"product_data":[{"term_id":36571,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":36571,"taxonomy":"product","description":"","parent":0,"count":984,"filter":"raw"},{"term_id":761642,"name":"ArcGIS Location Platform","slug":"platform","term_group":0,"term_taxonomy_id":761642,"taxonomy":"product","description":"","parent":36601,"count":215,"filter":"raw"},{"term_id":36551,"name":"ArcGIS Online","slug":"arcgis-online","term_group":0,"term_taxonomy_id":36551,"taxonomy":"product","description":"","parent":0,"count":2440,"filter":"raw"},{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":89,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2961441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/136891"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=2961441"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2961441\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=2961441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=2961441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=2961441"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=2961441"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=2961441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}