ArcGIS Blog

Administration

ArcGIS Trust Center

Apr 13, 2026

April 2026 ArcGIS Security Bulletin

By Mark Bierman and Michael Young and Randall Williams

Esri has discovered a security vulnerability with developer credentials affecting ArcGIS Online, ArcGIS Location Platform and ArcGIS Enterprise.

 

ArcGIS Online and ArcGIS Location Platform

Both were patched on 4/13/26, and only affected customers were notified via email that same day asking them to validate that the update did not affect their applications and scripts using developer credentials.

 

ArcGIS Enterprise

UPDATE 4/20 – 11.4 patches released

Portal for ArcGIS 11.5 and 12.0 security patches were initially released on 4/13/2026 and updated on 4/16/2026, resolving 2 critical severity vulnerabilities (11.4 patches were subsequently released on 4/20/26 – no other versions are applicable) – It should be installed with the highest priority.

The Portal for ArcGIS 11.5 and 12.0 patches reset potentially over-scoped developer credentials created by Portal for ArcGIS 11.5 back to expected default permissions.  This is not expected to disrupt most customer developer credential use cases, however the patch should be executed during an off-business hour period to minimize potential operational disruption.  Uninstalling the patch will NOT undo the permission changes of your developer credentials, so please backup your systems as recommended.

  • See Windows and Linux patch page here
  • Kubernetes customers should apply 12.0 Update 3 as described here

 

Mitigation

If your organization does not utilize any developer credentials, including API keys or OAuth 2.0 credentials for application authentication, your system is not vulnerable.  If your organization is unable to apply this patch in a timely manner and you currently utilize developer credentials, we recommend invalidating the developer credentials until the patch can be applied.

 

Developer Credential Check

Browse to Organization settings / Security / Developer Credentials.  If there are API keys or OAuth 2.0 credentials you have Developer Credentials.

 

Troubleshooting

If the reset of over-scoped developer credentials disrupts your script or app we recommend the following steps to resolve:

  1. Confirm all developer credentials in use by performing the Developer Credential Check above.
  2. Review the associated app or script which is failing and confirm which developer credential is the problem.
  3. Before making changes, we recommend reviewing current developer credential best practices listed in this announcement are being followed.
  4. Validate the permissions assigned to the developer credential and determine any additional script or app permission requirements by passing it as a parameter to the portal’s self resource.
    Example: curl https://www.arcgis.com/sharing/rest/community/self?f=pjson&token=[Your_API_Key]
  5. Determine if you can reduce the permission requirements of your app or script and make adjustments to those.
  6. If you have confirmed the elevated permissions are required for the developer credentials, you will need to reissue a new developer credential for your app/script, confirm your issue is addressed, and then delete the original developer credential.
  7. If you need additional guidance, reach out to our support team for assistance.

 

Best Practice

Esri and the software industry are moving away from using API keys for protecting sensitive content due to the inherent security risks they present.  Esri has recently updated developer credential documentation and posted/updated the following ArcGIS Trust Center content:

What If I Have Legacy API Keys Still?

  • While this vulnerability is not for legacy API keys, you should immediately apply this security patch, then replace any legacy API keys in alignment with the best practice recommendations above. Legacy API keys will all permanently expire on 6/27/26.

 

ArcGIS Enterprise Vulnerability Details

CVE-2026-33518

  • Description: An incorrect privilege assignment vulnerability exists that allows highly privileged users to create developer credentials that may grant more privileges than expected.
  • CWE-266: Incorrect Privilege Assignment
  • Base CVSS 3.1: 9.8
  • Temporal CVSS 3.1: 9.4
  • Affected: Portal for ArcGIS 11.5

CVE-2026-33519

  • Description: An incorrect authorization vulnerability exists that did not correctly check permissions assigned to developer credentials.
  • CWE-863: Incorrect Authorization
  • Base CVSS 3.1: 9.8
  • Temporal CVSS 3.1: 9.4
  • Affected: Portal for ArcGIS 11.4, 11.5, 12.0

 

Bulletin Update History:

  • 4/13 – Initial announcement
  • 4/14 – Patch temporarily disabled announcement
  • 4/15 – Clarification of affected customer notification day/mechanism & what Legacy API Key users should do
  • 4/16 – Updated Patch B version available
  • 4/20 – Portal for ArcGIS 11.4 patch released
  • 4/21 – CVE’s published publicly

Share this article

administration administration arcgis trust center cve security ssamlmygp arcgis enterprise arcgis location platform arcgis online arcgis trust center

Commenting is not enabled for this article.