Overview
A critical severity vulnerability has been disclosed in Esri Portal for ArcGIS, the enterprise GIS platform widely deployed across government, utilities, defense, and critical infrastructure sectors. The flaw, tracked as CVE-2026-13019, carries a CVSS v3 score of 9.8 (Critical) and affects all versions 12.1 and earlier running on Windows, Linux, and Kubernetes.
The vulnerability stems from a missing authentication check on a critical internal API function — an attacker with network access to the portal can invoke this endpoint without any credentials whatsoever.
Technical Details
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-13019 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Product | Esri Portal for ArcGIS ≤ 12.1 |
| Affected Platforms | Windows, Linux, Kubernetes |
| CWE | CWE-306: Missing Authentication for Critical Function |
The unauthenticated API exposure allows a remote attacker to interact with functionality that should be restricted to authenticated administrative or privileged users. The specific API endpoint and its capabilities have not been fully detailed in the initial NVD disclosure, which is consistent with coordinated responsible disclosure practices.
Impact
Esri's Portal for ArcGIS is a cornerstone platform for organizations that rely on geographic information systems. It is commonly deployed in:
- Municipal and federal government for emergency management, urban planning, and public-facing map services
- Utilities (water, power, gas) for infrastructure mapping and operations
- Defense and intelligence for geospatial analysis workflows
- Healthcare for spatial epidemiology and resource mapping
An unauthenticated attacker exploiting CVE-2026-13019 could potentially access sensitive geospatial datasets, user data, or administrative functions — depending on what the unprotected API exposes. In high-value deployments, this could mean exposure of critical infrastructure maps, personnel data, or operational details.
With a CVSS of 9.8 and no authentication required, this vulnerability has a high likelihood of being targeted by opportunistic scanners and threat actors as proof-of-concept code becomes available.
Affected Versions
- Esri Portal for ArcGIS 12.1 and earlier
- Confirmed affected platforms: Windows, Linux, Kubernetes
Recommended Actions
- Apply Esri's patch immediately. Monitor Esri's security advisory portal at trust.arcgis.com for the official patch and release notes.
- Restrict network access to Portal for ArcGIS management interfaces. Do not expose the portal directly to the internet unless absolutely necessary — place it behind a WAF or network perimeter controls.
- Audit access logs on existing Portal for ArcGIS deployments to identify any unusual API calls that could indicate prior exploitation.
- Enable authentication enforcement at the reverse proxy or API gateway layer as a compensating control while patches are applied.
- Inventory all deployments — ensure all instances (including Kubernetes clusters) are identified and included in the patching cycle.